Sensor Tower: Difference between revisions
new company page on sensor tower, the publisher of stayfocusd and stayfree. covers the 2013 founding, the riverwood capital sponsorship, the march 2024 data.ai acquisition financed by bain capital credit, and three documented incidents: the 2020 buzzfeed disclosure of 20+ secret vpn and adblock mobile apps with root-certificate access, tuckner's december 2025 prompt poaching identification of stayfocusd, and arnott's may 2026 wall of shame capability classification. |
m Moved refs to inside quotes. |
||
| (4 intermediate revisions by 3 users not shown) | |||
| Line 2: | Line 2: | ||
|Founded=2013-08 | |Founded=2013-08 | ||
|Industry=Mobile analytics,Digital advertising intelligence,Browser extensions | |Industry=Mobile analytics,Digital advertising intelligence,Browser extensions | ||
|Logo= | |Logo=Sensor Tower.png | ||
|ParentCompany= | |ParentCompany= | ||
|CompanyAlias=ST Pulse | |CompanyAlias=ST Pulse | ||
| Line 12: | Line 12: | ||
'''Sensor Tower''' is a San Francisco mobile- and digital-intelligence company whose consumer-facing products have been independently documented exfiltrating user data on two separate occasions. In March 2020, BuzzFeed News reported that the company had secretly operated at least 20 VPN and ad-blocking mobile applications since 2015, with more than 35 million collective downloads, that prompted users to install a root certificate granting access to all traffic passing through the phone.<ref name="buzzfeed-pxlnv">{{Cite web |last=Silverman |first=Craig |title=Popular VPN And Ad-Blocking Apps Are Secretly Harvesting User Data |url=https://pxlnv.com/linklog/sensortower-banjo-apps/ |website=Pixel Envy |date=March 10, 2020 |access-date=May 30, 2026}}</ref><ref name="gizmodo">{{Cite web |title=At Least 20 VPN and Ad-Blocking Apps With 35 Million Downloads Have Been Secretly Harvesting Data |url=https://gizmodo.com/at-least-20-vpn-and-ad-blocking-apps-with-35-million-do-1842228757 |website=Gizmodo |date=March 9, 2020 |access-date=May 30, 2026}}</ref> In December 2025 and again in May 2026, security researchers identified two Sensor Tower-owned Chrome extensions, [[StayFocusd]] (~700,000 users) & StayFree (~200,000 users), as carrying the infrastructure to capture user conversations with AI chatbots.<ref name="tuckner">{{Cite web |last=Tuckner |first=John |title=Prompt poaching runs rampant in extensions |url=https://www.secureannex.com/blog/prompt-poaching/ |website=Annex Blog |publisher=Secure Annex |date=December 28, 2025 |access-date=May 30, 2026}}</ref><ref name="arnott">{{Cite web |last=Arnott |first=James |title=The AI Chat Scraping Extension Wall of Shame |url=https://amibeingpwned.com/blog/ai-chat-scraper-wall-of-shame |website=Am I Being Pwned? |date=May 11, 2026 |access-date=May 30, 2026}}</ref> | '''Sensor Tower''' is a San Francisco mobile- and digital-intelligence company whose consumer-facing products have been independently documented exfiltrating user data on two separate occasions. In March 2020, BuzzFeed News reported that the company had secretly operated at least 20 VPN and ad-blocking mobile applications since 2015, with more than 35 million collective downloads, that prompted users to install a root certificate granting access to all traffic passing through the phone.<ref name="buzzfeed-pxlnv">{{Cite web |last=Silverman |first=Craig |title=Popular VPN And Ad-Blocking Apps Are Secretly Harvesting User Data |url=https://pxlnv.com/linklog/sensortower-banjo-apps/ |website=Pixel Envy |date=March 10, 2020 |access-date=May 30, 2026}}</ref><ref name="gizmodo">{{Cite web |title=At Least 20 VPN and Ad-Blocking Apps With 35 Million Downloads Have Been Secretly Harvesting Data |url=https://gizmodo.com/at-least-20-vpn-and-ad-blocking-apps-with-35-million-do-1842228757 |website=Gizmodo |date=March 9, 2020 |access-date=May 30, 2026}}</ref> In December 2025 and again in May 2026, security researchers identified two Sensor Tower-owned Chrome extensions, [[StayFocusd]] (~700,000 users) & StayFree (~200,000 users), as carrying the infrastructure to capture user conversations with AI chatbots.<ref name="tuckner">{{Cite web |last=Tuckner |first=John |title=Prompt poaching runs rampant in extensions |url=https://www.secureannex.com/blog/prompt-poaching/ |website=Annex Blog |publisher=Secure Annex |date=December 28, 2025 |access-date=May 30, 2026}}</ref><ref name="arnott">{{Cite web |last=Arnott |first=James |title=The AI Chat Scraping Extension Wall of Shame |url=https://amibeingpwned.com/blog/ai-chat-scraper-wall-of-shame |website=Am I Being Pwned? |date=May 11, 2026 |access-date=May 30, 2026}}</ref> | ||
== Background == | ==Background== | ||
Sensor Tower was founded in 2013<ref name="st-about">{{Cite web |title=About Sensor Tower |url=https://sensortower.com/about |website=Sensor Tower |access-date=May 30, 2026}}</ref> & lists 275 Battery Street, Suite 800, San Francisco, California as its publisher address on the Chrome Web Store.<ref name="cws-stayfocusd">{{Cite web |title=StayFocusd - Website Blocker & Focus Timer & Shorts Blocker |url=https://chromewebstore.google.com/detail/stayfocusd-%E2%80%93-website-bloc/laankejkbhbdhmipfmgcngdelahlfoji |website=Chrome Web Store |publisher=Sensor Tower |access-date=May 30, 2026}}</ref> The company sells enterprise app & digital-advertising analytics, including its Store Intelligence, Ad Intelligence, Usage Intelligence & Pathmatics products, to brands, agencies, publishers & investors.<ref name="responsibly-sourced">{{Cite web |title=Responsibly Sourced Data |url=https://sensortower.com/responsibly-sourced-data |website=Sensor Tower |access-date=May 30, 2026}}</ref> Named clients listed by the company include Microsoft, Sky, Bandai Namco, Western Union, Procter & Gamble, Duolingo, Spotify, Coca-Cola & Activision Blizzard.<ref name="responsibly-sourced" /><ref name="dataai-acquisition">{{Cite press release |title=Sensor Tower Acquires Market Intelligence Platform data.ai |url=https://www.prnewswire.com/news-releases/sensor-tower-acquires-market-intelligence-platform-dataai-302090753.html |publisher=Sensor Tower via PR Newswire |date=March 18, 2024 |access-date=May 30, 2026}}</ref> | Sensor Tower was founded in 2013<ref name="st-about">{{Cite web |title=About Sensor Tower |url=https://sensortower.com/about |website=Sensor Tower |access-date=May 30, 2026}}</ref> & lists 275 Battery Street, Suite 800, San Francisco, California as its publisher address on the Chrome Web Store.<ref name="cws-stayfocusd">{{Cite web |title=StayFocusd - Website Blocker & Focus Timer & Shorts Blocker |url=https://chromewebstore.google.com/detail/stayfocusd-%E2%80%93-website-bloc/laankejkbhbdhmipfmgcngdelahlfoji |website=Chrome Web Store |publisher=Sensor Tower |access-date=May 30, 2026}}</ref> The company sells enterprise app & digital-advertising analytics, including its Store Intelligence, Ad Intelligence, Usage Intelligence & Pathmatics products, to brands, agencies, publishers & investors.<ref name="responsibly-sourced">{{Cite web |title=Responsibly Sourced Data |url=https://sensortower.com/responsibly-sourced-data |website=Sensor Tower |access-date=May 30, 2026}}</ref> Named clients listed by the company include Microsoft, Sky, Bandai Namco, Western Union, Procter & Gamble, Duolingo, Spotify, Coca-Cola & Activision Blizzard.<ref name="responsibly-sourced" /><ref name="dataai-acquisition">{{Cite press release |title=Sensor Tower Acquires Market Intelligence Platform data.ai |url=https://www.prnewswire.com/news-releases/sensor-tower-acquires-market-intelligence-platform-dataai-302090753.html |publisher=Sensor Tower via PR Newswire |date=March 18, 2024 |access-date=May 30, 2026}}</ref> | ||
| Line 18: | Line 18: | ||
Riverwood Capital is Sensor Tower's principal private-equity sponsor.<ref name="dataai-acquisition" /> On March 18, 2024, Sensor Tower acquired its largest competitor in app market intelligence, data.ai (formerly App Annie), in a transaction financed by Bain Capital Credit; the combined company reported a customer base of more than 2,000 enterprises.<ref name="dataai-acquisition" /> Roughly 200 data.ai employees were laid off after the close as Sensor Tower stated it would ''"optimising our team structure."''<ref name="gamesindustry">{{Cite web |title=Sensor Tower acquires data.ai |url=https://www.gamesindustry.biz/sensor-tower-acquires-dataai |website=GamesIndustry.biz |date=March 19, 2024 |access-date=May 30, 2026}}</ref> Earlier acquisitions include the digital-ad-intelligence firm Pathmatics on May 24, 2021,<ref name="pathmatics">{{Cite press release |title=Sensor Tower Acquires Pathmatics, Scaling Trusted and Actionable Insights for the Digital Economy |url=https://www.businesswire.com/news/home/20210524005722/en/Sensor-Tower-Acquires-Pathmatics-Scaling-Trusted-and-Actionable-Insights-for-the-Digital-Economy |publisher=BusinessWire |date=May 24, 2021 |access-date=May 30, 2026}}</ref> & the digital-wellbeing apps ActionDash & StayFree on June 22, 2020.<ref name="pocketgamer">{{Cite web |title=Sensor Tower acquires StayFree and ActionDash apps |url=https://www.pocketgamer.biz/sensor-tower-acquires-stayfree-actiondash/ |website=PocketGamer.biz |date=June 22, 2020 |access-date=May 30, 2026}}</ref> | Riverwood Capital is Sensor Tower's principal private-equity sponsor.<ref name="dataai-acquisition" /> On March 18, 2024, Sensor Tower acquired its largest competitor in app market intelligence, data.ai (formerly App Annie), in a transaction financed by Bain Capital Credit; the combined company reported a customer base of more than 2,000 enterprises.<ref name="dataai-acquisition" /> Roughly 200 data.ai employees were laid off after the close as Sensor Tower stated it would ''"optimising our team structure."''<ref name="gamesindustry">{{Cite web |title=Sensor Tower acquires data.ai |url=https://www.gamesindustry.biz/sensor-tower-acquires-dataai |website=GamesIndustry.biz |date=March 19, 2024 |access-date=May 30, 2026}}</ref> Earlier acquisitions include the digital-ad-intelligence firm Pathmatics on May 24, 2021,<ref name="pathmatics">{{Cite press release |title=Sensor Tower Acquires Pathmatics, Scaling Trusted and Actionable Insights for the Digital Economy |url=https://www.businesswire.com/news/home/20210524005722/en/Sensor-Tower-Acquires-Pathmatics-Scaling-Trusted-and-Actionable-Insights-for-the-Digital-Economy |publisher=BusinessWire |date=May 24, 2021 |access-date=May 30, 2026}}</ref> & the digital-wellbeing apps ActionDash & StayFree on June 22, 2020.<ref name="pocketgamer">{{Cite web |title=Sensor Tower acquires StayFree and ActionDash apps |url=https://www.pocketgamer.biz/sensor-tower-acquires-stayfree-actiondash/ |website=PocketGamer.biz |date=June 22, 2020 |access-date=May 30, 2026}}</ref> | ||
== Products == | ==Products== | ||
Sensor Tower's enterprise business is built on what it calls a ''"first-party consumer panel"'' assembled by acquiring & operating free consumer apps & browser extensions whose telemetry feeds the company's paid dashboards.<ref name="responsibly-sourced" /> The company markets this side of the business under the brand ST Pulse, which appears in the footer of Sensor Tower-owned consumer properties. | Sensor Tower's enterprise business is built on what it calls a ''"first-party consumer panel"'' assembled by acquiring & operating free consumer apps & browser extensions whose telemetry feeds the company's paid dashboards.<ref name="responsibly-sourced" /> The company markets this side of the business under the brand ST Pulse, which appears in the footer of Sensor Tower-owned consumer properties. | ||
| Line 24: | Line 24: | ||
The two Chrome extensions currently flagged by independent researchers are [[StayFocusd]], a website-blocker & focus-timer with roughly 700,000 users that is published from the Sensor Tower developer account at 275 Battery St,<ref name="cws-stayfocusd" /><ref name="arnott" /> & StayFree, a screen-time tracker with roughly 200,000 Chrome users.<ref name="cws-stayfree">{{Cite web |title=StayFree - Screen Time Tracker & Limit App Usage |url=https://chromewebstore.google.com/detail/stayfree-screen-time-trac/elfaihghhjjoknimpccccmkioofjjfkf |website=Chrome Web Store |publisher=Sensor Tower |access-date=May 30, 2026}}</ref><ref name="arnott" /> Both extensions were classified ''Capability'' by James Arnott in May 2026, meaning the exfiltration code path & remote endpoints are wired up but did not fire during his sandbox observation window.<ref name="arnott" /> | The two Chrome extensions currently flagged by independent researchers are [[StayFocusd]], a website-blocker & focus-timer with roughly 700,000 users that is published from the Sensor Tower developer account at 275 Battery St,<ref name="cws-stayfocusd" /><ref name="arnott" /> & StayFree, a screen-time tracker with roughly 200,000 Chrome users.<ref name="cws-stayfree">{{Cite web |title=StayFree - Screen Time Tracker & Limit App Usage |url=https://chromewebstore.google.com/detail/stayfree-screen-time-trac/elfaihghhjjoknimpccccmkioofjjfkf |website=Chrome Web Store |publisher=Sensor Tower |access-date=May 30, 2026}}</ref><ref name="arnott" /> Both extensions were classified ''Capability'' by James Arnott in May 2026, meaning the exfiltration code path & remote endpoints are wired up but did not fire during his sandbox observation window.<ref name="arnott" /> | ||
== Incidents == | ==Incidents== | ||
=== 2020 BuzzFeed News VPN and ad-blocking app disclosure === | ===2020 BuzzFeed News VPN and ad-blocking app disclosure=== | ||
On March 9, 2020, Craig Silverman of BuzzFeed News reported that Sensor Tower had owned at least 20 Android & iOS apps since 2015, including Free and Unlimited VPN, Luna VPN, Mobile Data & Adblock Focus, with more than 35 million collective downloads.<ref name="buzzfeed-pxlnv" /><ref name="gizmodo" /> None of the listings disclosed Sensor Tower's ownership or that user data fed the company's analytics products.<ref name="buzzfeed-pxlnv" /> Once installed, the apps prompted users to install a root certificate from a third-party website, a small file that, in BuzzFeed's words, lets its issuer ''"access all traffic and data passing through a phone."''<ref name="buzzfeed-pxlnv" /> Apple & Google ordinarily restrict root-certificate privileges because of the security risk; Sensor Tower's apps bypassed those restrictions by completing the certificate install outside the store flow.<ref name="buzzfeed-pxlnv" /> | On March 9, 2020, Craig Silverman of BuzzFeed News reported that Sensor Tower had owned at least 20 Android & iOS apps since 2015, including Free and Unlimited VPN, Luna VPN, Mobile Data & Adblock Focus, with more than 35 million collective downloads.<ref name="buzzfeed-pxlnv" /><ref name="gizmodo" /> None of the listings disclosed Sensor Tower's ownership or that user data fed the company's analytics products.<ref name="buzzfeed-pxlnv" /> Once installed, the apps prompted users to install a root certificate from a third-party website, a small file that, in BuzzFeed's words, lets its issuer ''"access all traffic and data passing through a phone."''<ref name="buzzfeed-pxlnv" /> Apple & Google ordinarily restrict root-certificate privileges because of the security risk; Sensor Tower's apps bypassed those restrictions by completing the certificate install outside the store flow.<ref name="buzzfeed-pxlnv" /> | ||
| Line 32: | Line 32: | ||
Randy Nelson, Sensor Tower's head of mobile insights, told BuzzFeed News in an on-the-record statement that the company had not disclosed ownership ''"for competitive reasons,"''<ref name="buzzfeed-pxlnv" /><ref name="engadget">{{Cite web |title=Analytics platform secretly scraped user data via VPN apps |url=https://www.engadget.com/2020-03-10-analytics-platform-secretly-scraped-user-data-sensor-tower-vpn.html |website=Engadget |date=March 10, 2020 |access-date=May 30, 2026}}</ref> adding: | Randy Nelson, Sensor Tower's head of mobile insights, told BuzzFeed News in an on-the-record statement that the company had not disclosed ownership ''"for competitive reasons,"''<ref name="buzzfeed-pxlnv" /><ref name="engadget">{{Cite web |title=Analytics platform secretly scraped user data via VPN apps |url=https://www.engadget.com/2020-03-10-analytics-platform-secretly-scraped-user-data-sensor-tower-vpn.html |website=Engadget |date=March 10, 2020 |access-date=May 30, 2026}}</ref> adding: | ||
<blockquote>''When you consider the relationship between these types of apps and an analytics company, it makes a lot of sense ... especially considering our history as a startup.'' | <blockquote>''When you consider the relationship between these types of apps and an analytics company, it makes a lot of sense ... especially considering our history as a startup.''<ref name="buzzfeed-pxlnv" /></blockquote> | ||
After being contacted by BuzzFeed News, Apple removed Adblock Focus & said it would continue investigating Luna VPN; Google removed Mobile Data.<ref name="buzzfeed-pxlnv" /><ref name="engadget" /> An Apple spokesperson said a dozen earlier Sensor Tower apps had already been removed from the App Store for policy violations.<ref name="buzzfeed-pxlnv" /> Three months later, on June 22, 2020, Sensor Tower acquired ActionDash & StayFree & framed the deal as a transparent, opt-in replacement for the prior consumer-panel pipeline.<ref name="pocketgamer" /><ref name="st-actiondash">{{Cite web |title=Sensor Tower announces its acquisition of popular digital wellbeing apps ActionDash and StayFree |url=https://sensortower.com/blog/actiondash-stayfree-acquisition-announcement |website=Sensor Tower |access-date=May 30, 2026}}</ref> | After being contacted by BuzzFeed News, Apple removed Adblock Focus & said it would continue investigating Luna VPN; Google removed Mobile Data.<ref name="buzzfeed-pxlnv" /><ref name="engadget" /> An Apple spokesperson said a dozen earlier Sensor Tower apps had already been removed from the App Store for policy violations.<ref name="buzzfeed-pxlnv" /> Three months later, on June 22, 2020, Sensor Tower acquired ActionDash & StayFree & framed the deal as a transparent, opt-in replacement for the prior consumer-panel pipeline.<ref name="pocketgamer" /><ref name="st-actiondash">{{Cite web |title=Sensor Tower announces its acquisition of popular digital wellbeing apps ActionDash and StayFree |url=https://sensortower.com/blog/actiondash-stayfree-acquisition-announcement |website=Sensor Tower |access-date=May 30, 2026}}</ref> | ||
| Line 38: | Line 38: | ||
<!-- INCIDENT_SCORE: 85 | Silverman documented secret ownership of 20+ apps with 35M downloads; root-certificate vector gave access to all device traffic; Apple removed Adblock Focus & Google removed Mobile Data after press contact; named executive Randy Nelson confirmed non-disclosure was deliberate "for competitive reasons" --> | <!-- INCIDENT_SCORE: 85 | Silverman documented secret ownership of 20+ apps with 35M downloads; root-certificate vector gave access to all device traffic; Apple removed Adblock Focus & Google removed Mobile Data after press contact; named executive Randy Nelson confirmed non-disclosure was deliberate "for competitive reasons" --> | ||
=== December 2025 Secure Annex "Prompt Poaching" identification === | ===December 2025 Secure Annex "Prompt Poaching" identification=== | ||
On December 28, 2025, John Tuckner of Secure Annex published a technical analysis of what he called ''"prompt poaching,"'' a technique in which browser extensions capture & exfiltrate user conversations with AI chatbots.<ref name="tuckner" /> Tuckner's primary subject was the Similarweb extension, but in the same post he named Sensor Tower's StayFocusd as a second example of the same pattern: | On December 28, 2025, John Tuckner of Secure Annex published a technical analysis of what he called ''"prompt poaching,"'' a technique in which browser extensions capture & exfiltrate user conversations with AI chatbots.<ref name="tuckner" /> Tuckner's primary subject was the Similarweb extension, but in the same post he named Sensor Tower's StayFocusd as a second example of the same pattern: | ||
<blockquote>''We've also discovered past versions of the extension Stayfocusd, a featured productivity extension run by the a similar web analytics company, Sensor Tower, containing behaviorally similar code which has recently been updated to be only slightly less invasive containing metadata about conversations but not the conversations themselves.'' | <blockquote>''We've also discovered past versions of the extension Stayfocusd, a featured productivity extension run by the a similar web analytics company, Sensor Tower, containing behaviorally similar code which has recently been updated to be only slightly less invasive containing metadata about conversations but not the conversations themselves.''<ref name="tuckner" /></blockquote> | ||
Cybernews & The Hacker News repeated the StayFocusd attribution in follow-up coverage on December 31, 2025 & January 6, 2026 respectively.<ref name="cybernews">{{Cite web |title=Legit browser extensions poaching AI chats |url=https://cybernews.com/security/legit-browser-extensions-poaching-ai-chats/ |website=Cybernews |date=December 31, 2025 |access-date=May 30, 2026}}</ref><ref name="thn">{{Cite web |title=Two Chrome Extensions Caught Stealing AI Chats |url=https://thehackernews.com/2026/01/two-chrome-extensions-caught-stealing.html |website=The Hacker News |date=January 6, 2026 |access-date=May 30, 2026}}</ref> The detailed code & remote-config samples in Tuckner's post (gpt_con_delta_fetch, claudeai_con_fetch, bard_qa, perplexity_html) describe Similarweb's extension, not Sensor Tower's; Tuckner's specific finding for StayFocusd was that the extension carried behaviorally similar code that had been narrowed, by the time of publication, to collecting conversation metadata rather than full chat text.<ref name="tuckner" /> | Cybernews & The Hacker News repeated the StayFocusd attribution in follow-up coverage on December 31, 2025 & January 6, 2026 respectively.<ref name="cybernews">{{Cite web |title=Legit browser extensions poaching AI chats |url=https://cybernews.com/security/legit-browser-extensions-poaching-ai-chats/ |website=Cybernews |date=December 31, 2025 |access-date=May 30, 2026}}</ref><ref name="thn">{{Cite web |title=Two Chrome Extensions Caught Stealing AI Chats |url=https://thehackernews.com/2026/01/two-chrome-extensions-caught-stealing.html |website=The Hacker News |date=January 6, 2026 |access-date=May 30, 2026}}</ref> The detailed code & remote-config samples in Tuckner's post (gpt_con_delta_fetch, claudeai_con_fetch, bard_qa, perplexity_html) describe Similarweb's extension, not Sensor Tower's; Tuckner's specific finding for StayFocusd was that the extension carried behaviorally similar code that had been narrowed, by the time of publication, to collecting conversation metadata rather than full chat text.<ref name="tuckner" /> | ||
| Line 48: | Line 48: | ||
<!-- INCIDENT_SCORE: 65 | Named security researcher (John Tuckner / Secure Annex) explicitly identified StayFocusd & attributed it to Sensor Tower; coined the term "prompt poaching"; corroborated by Cybernews & The Hacker News; finding is "behaviorally similar code" reduced to metadata capture, not confirmed full-chat exfiltration --> | <!-- INCIDENT_SCORE: 65 | Named security researcher (John Tuckner / Secure Annex) explicitly identified StayFocusd & attributed it to Sensor Tower; coined the term "prompt poaching"; corroborated by Cybernews & The Hacker News; finding is "behaviorally similar code" reduced to metadata capture, not confirmed full-chat exfiltration --> | ||
=== 2026 amibeingpwned Wall of Shame === | ===2026 amibeingpwned Wall of Shame=== | ||
On May 11, 2026, James Arnott published ''The AI Chat Scraping Extension Wall of Shame'' on amibeingpwned.com, classifying eight extensions across two buckets: ''Confirmed'' (AI-chat content observed leaving the browser during sandbox testing) & ''Capability'' (the exfiltration code path & remote endpoint are present & wired up but did not fire during the observation window, which Arnott attributed to server-side gating).<ref name="arnott" /> StayFocusd was listed at #4 with 700,000 users; StayFree at #7 with 200,000 users; both were attributed to Sensor Tower & both were classified ''Capability'' with LZ-String light obfuscation.<ref name="arnott" /> | On May 11, 2026, James Arnott published ''The AI Chat Scraping Extension Wall of Shame'' on amibeingpwned.com, classifying eight extensions across two buckets: ''Confirmed'' (AI-chat content observed leaving the browser during sandbox testing) & ''Capability'' (the exfiltration code path & remote endpoint are present & wired up but did not fire during the observation window, which Arnott attributed to server-side gating).<ref name="arnott" /> StayFocusd was listed at #4 with 700,000 users; StayFree at #7 with 200,000 users; both were attributed to Sensor Tower & both were classified ''Capability'' with LZ-String light obfuscation.<ref name="arnott" /> | ||
| Line 54: | Line 54: | ||
Arnott reported that StayFocusd's AI-chat-scraping remote-config gate had flipped between an earlier test & publication: | Arnott reported that StayFocusd's AI-chat-scraping remote-config gate had flipped between an earlier test & publication: | ||
<blockquote>''We saw StayFocusd set up their infrastructure for AI chat scraping. When we tested it before there was only a remote config which they could enable at any point, but it wasn't | <blockquote>''We saw StayFocusd set up their infrastructure for AI chat scraping. When we tested it before there was only a remote config which they could enable at any point, but it wasn't enabled.''<ref name="arnott" /></blockquote> | ||
He also described a URL-exfiltration filter that was US-centric, listing exceptions for adult sites, US health sites & regex matches against US-format identifiers such as Social Security numbers & ZIP codes, with no equivalent protection for non-US users (UK users were named explicitly).<ref name="arnott" /> Arnott described the StayFree sibling extension in one sentence: | He also described a URL-exfiltration filter that was US-centric, listing exceptions for adult sites, US health sites & regex matches against US-format identifiers such as Social Security numbers & ZIP codes, with no equivalent protection for non-US users (UK users were named explicitly).<ref name="arnott" /> Arnott described the StayFree sibling extension in one sentence: | ||
<blockquote>''It essentially has the same features as StayFocusd, same remote activated capability to scrape AI chats and collect URLs, with limited PII exceptions.'' | <blockquote>''It essentially has the same features as StayFocusd, same remote activated capability to scrape AI chats and collect URLs, with limited PII exceptions.''<ref name="arnott" /></blockquote> | ||
<!-- INCIDENT_SCORE: 75 | Independent sandbox-verified Capability classification by named researcher (James Arnott / amibeingpwned.com); remote-config gate for AI-chat scraping was active by publication date; PII filter is US-centric & breaks for non-US users; same publisher pattern observed in 2020 BuzzFeed disclosure (mobile apps) now extended to browser extensions (StayFocusd & StayFree, both Sensor Tower) --> | <!-- INCIDENT_SCORE: 75 | Independent sandbox-verified Capability classification by named researcher (James Arnott / amibeingpwned.com); remote-config gate for AI-chat scraping was active by publication date; PII filter is US-centric & breaks for non-US users; same publisher pattern observed in 2020 BuzzFeed disclosure (mobile apps) now extended to browser extensions (StayFocusd & StayFree, both Sensor Tower) --> | ||
==See also== | |||
*[[StayFocusd]] | |||
*[[StayFree (Chrome extension)]] | |||
*[[Browser extension AI chat exfiltration]] | |||
*[[SimilarWeb]] | |||
*[[Owned it Ltd]] | |||
==References== | |||
{{Reflist}} | |||
== References == | |||
{{ | |||
[[Category:Sensor Tower]] | |||
[[Category:Companies]] | [[Category:Companies]] | ||
[[Category:Mobile analytics]] | [[Category:Mobile analytics]] | ||
[[Category:Browser extension publishers]] | [[Category:Browser extension publishers]] | ||
Latest revision as of 00:26, 4 June 2026
Sensor Tower
| Basic information | |
|---|---|
| Founded | 2013-08 |
| Legal Structure | Private |
| Industry | Mobile analytics,Digital advertising intelligence,Browser extensions |
| Also known as | ST Pulse |
| Official website | https://sensortower.com/ |
Sensor Tower is a San Francisco mobile- and digital-intelligence company whose consumer-facing products have been independently documented exfiltrating user data on two separate occasions. In March 2020, BuzzFeed News reported that the company had secretly operated at least 20 VPN and ad-blocking mobile applications since 2015, with more than 35 million collective downloads, that prompted users to install a root certificate granting access to all traffic passing through the phone.[1][2] In December 2025 and again in May 2026, security researchers identified two Sensor Tower-owned Chrome extensions, StayFocusd (~700,000 users) & StayFree (~200,000 users), as carrying the infrastructure to capture user conversations with AI chatbots.[3][4]
Background
[edit | edit source]Sensor Tower was founded in 2013[5] & lists 275 Battery Street, Suite 800, San Francisco, California as its publisher address on the Chrome Web Store.[6] The company sells enterprise app & digital-advertising analytics, including its Store Intelligence, Ad Intelligence, Usage Intelligence & Pathmatics products, to brands, agencies, publishers & investors.[7] Named clients listed by the company include Microsoft, Sky, Bandai Namco, Western Union, Procter & Gamble, Duolingo, Spotify, Coca-Cola & Activision Blizzard.[7][8]
Riverwood Capital is Sensor Tower's principal private-equity sponsor.[8] On March 18, 2024, Sensor Tower acquired its largest competitor in app market intelligence, data.ai (formerly App Annie), in a transaction financed by Bain Capital Credit; the combined company reported a customer base of more than 2,000 enterprises.[8] Roughly 200 data.ai employees were laid off after the close as Sensor Tower stated it would "optimising our team structure."[9] Earlier acquisitions include the digital-ad-intelligence firm Pathmatics on May 24, 2021,[10] & the digital-wellbeing apps ActionDash & StayFree on June 22, 2020.[11]
Products
[edit | edit source]Sensor Tower's enterprise business is built on what it calls a "first-party consumer panel" assembled by acquiring & operating free consumer apps & browser extensions whose telemetry feeds the company's paid dashboards.[7] The company markets this side of the business under the brand ST Pulse, which appears in the footer of Sensor Tower-owned consumer properties.
The two Chrome extensions currently flagged by independent researchers are StayFocusd, a website-blocker & focus-timer with roughly 700,000 users that is published from the Sensor Tower developer account at 275 Battery St,[6][4] & StayFree, a screen-time tracker with roughly 200,000 Chrome users.[12][4] Both extensions were classified Capability by James Arnott in May 2026, meaning the exfiltration code path & remote endpoints are wired up but did not fire during his sandbox observation window.[4]
Incidents
[edit | edit source]2020 BuzzFeed News VPN and ad-blocking app disclosure
[edit | edit source]On March 9, 2020, Craig Silverman of BuzzFeed News reported that Sensor Tower had owned at least 20 Android & iOS apps since 2015, including Free and Unlimited VPN, Luna VPN, Mobile Data & Adblock Focus, with more than 35 million collective downloads.[1][2] None of the listings disclosed Sensor Tower's ownership or that user data fed the company's analytics products.[1] Once installed, the apps prompted users to install a root certificate from a third-party website, a small file that, in BuzzFeed's words, lets its issuer "access all traffic and data passing through a phone."[1] Apple & Google ordinarily restrict root-certificate privileges because of the security risk; Sensor Tower's apps bypassed those restrictions by completing the certificate install outside the store flow.[1]
Randy Nelson, Sensor Tower's head of mobile insights, told BuzzFeed News in an on-the-record statement that the company had not disclosed ownership "for competitive reasons,"[1][13] adding:
When you consider the relationship between these types of apps and an analytics company, it makes a lot of sense ... especially considering our history as a startup.[1]
After being contacted by BuzzFeed News, Apple removed Adblock Focus & said it would continue investigating Luna VPN; Google removed Mobile Data.[1][13] An Apple spokesperson said a dozen earlier Sensor Tower apps had already been removed from the App Store for policy violations.[1] Three months later, on June 22, 2020, Sensor Tower acquired ActionDash & StayFree & framed the deal as a transparent, opt-in replacement for the prior consumer-panel pipeline.[11][14]
December 2025 Secure Annex "Prompt Poaching" identification
[edit | edit source]On December 28, 2025, John Tuckner of Secure Annex published a technical analysis of what he called "prompt poaching," a technique in which browser extensions capture & exfiltrate user conversations with AI chatbots.[3] Tuckner's primary subject was the Similarweb extension, but in the same post he named Sensor Tower's StayFocusd as a second example of the same pattern:
We've also discovered past versions of the extension Stayfocusd, a featured productivity extension run by the a similar web analytics company, Sensor Tower, containing behaviorally similar code which has recently been updated to be only slightly less invasive containing metadata about conversations but not the conversations themselves.[3]
Cybernews & The Hacker News repeated the StayFocusd attribution in follow-up coverage on December 31, 2025 & January 6, 2026 respectively.[15][16] The detailed code & remote-config samples in Tuckner's post (gpt_con_delta_fetch, claudeai_con_fetch, bard_qa, perplexity_html) describe Similarweb's extension, not Sensor Tower's; Tuckner's specific finding for StayFocusd was that the extension carried behaviorally similar code that had been narrowed, by the time of publication, to collecting conversation metadata rather than full chat text.[3]
2026 amibeingpwned Wall of Shame
[edit | edit source]On May 11, 2026, James Arnott published The AI Chat Scraping Extension Wall of Shame on amibeingpwned.com, classifying eight extensions across two buckets: Confirmed (AI-chat content observed leaving the browser during sandbox testing) & Capability (the exfiltration code path & remote endpoint are present & wired up but did not fire during the observation window, which Arnott attributed to server-side gating).[4] StayFocusd was listed at #4 with 700,000 users; StayFree at #7 with 200,000 users; both were attributed to Sensor Tower & both were classified Capability with LZ-String light obfuscation.[4]
Arnott reported that StayFocusd's AI-chat-scraping remote-config gate had flipped between an earlier test & publication:
We saw StayFocusd set up their infrastructure for AI chat scraping. When we tested it before there was only a remote config which they could enable at any point, but it wasn't enabled.[4]
He also described a URL-exfiltration filter that was US-centric, listing exceptions for adult sites, US health sites & regex matches against US-format identifiers such as Social Security numbers & ZIP codes, with no equivalent protection for non-US users (UK users were named explicitly).[4] Arnott described the StayFree sibling extension in one sentence:
It essentially has the same features as StayFocusd, same remote activated capability to scrape AI chats and collect URLs, with limited PII exceptions.[4]
See also
[edit | edit source]- StayFocusd
- StayFree (Chrome extension)
- Browser extension AI chat exfiltration
- SimilarWeb
- Owned it Ltd
References
[edit | edit source]- ↑ 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 Silverman, Craig (March 10, 2020). "Popular VPN And Ad-Blocking Apps Are Secretly Harvesting User Data". Pixel Envy. Retrieved May 30, 2026.
- ↑ 2.0 2.1 "At Least 20 VPN and Ad-Blocking Apps With 35 Million Downloads Have Been Secretly Harvesting Data". Gizmodo. March 9, 2020. Retrieved May 30, 2026.
- ↑ 3.0 3.1 3.2 3.3 Tuckner, John (December 28, 2025). "Prompt poaching runs rampant in extensions". Annex Blog. Secure Annex. Retrieved May 30, 2026.
- ↑ 4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 Arnott, James (May 11, 2026). "The AI Chat Scraping Extension Wall of Shame". Am I Being Pwned?. Retrieved May 30, 2026.
- ↑ "About Sensor Tower". Sensor Tower. Retrieved May 30, 2026.
- ↑ 6.0 6.1 "StayFocusd - Website Blocker & Focus Timer & Shorts Blocker". Chrome Web Store. Sensor Tower. Retrieved May 30, 2026.
- ↑ 7.0 7.1 7.2 "Responsibly Sourced Data". Sensor Tower. Retrieved May 30, 2026.
- ↑ 8.0 8.1 8.2 Template:Cite press release
- ↑ "Sensor Tower acquires data.ai". GamesIndustry.biz. March 19, 2024. Retrieved May 30, 2026.
- ↑ Template:Cite press release
- ↑ 11.0 11.1 "Sensor Tower acquires StayFree and ActionDash apps". PocketGamer.biz. June 22, 2020. Retrieved May 30, 2026.
- ↑ "StayFree - Screen Time Tracker & Limit App Usage". Chrome Web Store. Sensor Tower. Retrieved May 30, 2026.
- ↑ 13.0 13.1 "Analytics platform secretly scraped user data via VPN apps". Engadget. March 10, 2020. Retrieved May 30, 2026.
- ↑ "Sensor Tower announces its acquisition of popular digital wellbeing apps ActionDash and StayFree". Sensor Tower. Retrieved May 30, 2026.
- ↑ "Legit browser extensions poaching AI chats". Cybernews. December 31, 2025. Retrieved May 30, 2026.
- ↑ "Two Chrome Extensions Caught Stealing AI Chats". The Hacker News. January 6, 2026. Retrieved May 30, 2026.