Sensor Tower: Difference between revisions

Sensor Tower
Basic information
Founded	2013-08
Legal Structure	Private
Industry	Mobile analytics,Digital advertising intelligence,Browser extensions
Also known as	ST Pulse
Official website	https://sensortower.com/

← Older edit

VisualWikitext

Latest revision as of 00:26, 4 June 2026

Sensor Tower is a San Francisco mobile- and digital-intelligence company whose consumer-facing products have been independently documented exfiltrating user data on two separate occasions. In March 2020, BuzzFeed News reported that the company had secretly operated at least 20 VPN and ad-blocking mobile applications since 2015, with more than 35 million collective downloads, that prompted users to install a root certificate granting access to all traffic passing through the phone.^[1]^[2] In December 2025 and again in May 2026, security researchers identified two Sensor Tower-owned Chrome extensions, StayFocusd (~700,000 users) & StayFree (~200,000 users), as carrying the infrastructure to capture user conversations with AI chatbots.^[3]^[4]

Background

Sensor Tower was founded in 2013^[5] & lists 275 Battery Street, Suite 800, San Francisco, California as its publisher address on the Chrome Web Store.^[6] The company sells enterprise app & digital-advertising analytics, including its Store Intelligence, Ad Intelligence, Usage Intelligence & Pathmatics products, to brands, agencies, publishers & investors.^[7] Named clients listed by the company include Microsoft, Sky, Bandai Namco, Western Union, Procter & Gamble, Duolingo, Spotify, Coca-Cola & Activision Blizzard.^[7]^[8]

Riverwood Capital is Sensor Tower's principal private-equity sponsor.^[8] On March 18, 2024, Sensor Tower acquired its largest competitor in app market intelligence, data.ai (formerly App Annie), in a transaction financed by Bain Capital Credit; the combined company reported a customer base of more than 2,000 enterprises.^[8] Roughly 200 data.ai employees were laid off after the close as Sensor Tower stated it would "optimising our team structure."^[9] Earlier acquisitions include the digital-ad-intelligence firm Pathmatics on May 24, 2021,^[10] & the digital-wellbeing apps ActionDash & StayFree on June 22, 2020.^[11]

Products

Sensor Tower's enterprise business is built on what it calls a "first-party consumer panel" assembled by acquiring & operating free consumer apps & browser extensions whose telemetry feeds the company's paid dashboards.^[7] The company markets this side of the business under the brand ST Pulse, which appears in the footer of Sensor Tower-owned consumer properties.

The two Chrome extensions currently flagged by independent researchers are StayFocusd, a website-blocker & focus-timer with roughly 700,000 users that is published from the Sensor Tower developer account at 275 Battery St,^[6]^[4] & StayFree, a screen-time tracker with roughly 200,000 Chrome users.^[12]^[4] Both extensions were classified Capability by James Arnott in May 2026, meaning the exfiltration code path & remote endpoints are wired up but did not fire during his sandbox observation window.^[4]

Incidents

2020 BuzzFeed News VPN and ad-blocking app disclosure

On March 9, 2020, Craig Silverman of BuzzFeed News reported that Sensor Tower had owned at least 20 Android & iOS apps since 2015, including Free and Unlimited VPN, Luna VPN, Mobile Data & Adblock Focus, with more than 35 million collective downloads.^[1]^[2] None of the listings disclosed Sensor Tower's ownership or that user data fed the company's analytics products.^[1] Once installed, the apps prompted users to install a root certificate from a third-party website, a small file that, in BuzzFeed's words, lets its issuer "access all traffic and data passing through a phone."^[1] Apple & Google ordinarily restrict root-certificate privileges because of the security risk; Sensor Tower's apps bypassed those restrictions by completing the certificate install outside the store flow.^[1]

Randy Nelson, Sensor Tower's head of mobile insights, told BuzzFeed News in an on-the-record statement that the company had not disclosed ownership "for competitive reasons,"^[1]^[13] adding:

When you consider the relationship between these types of apps and an analytics company, it makes a lot of sense ... especially considering our history as a startup.^[1]

After being contacted by BuzzFeed News, Apple removed Adblock Focus & said it would continue investigating Luna VPN; Google removed Mobile Data.^[1]^[13] An Apple spokesperson said a dozen earlier Sensor Tower apps had already been removed from the App Store for policy violations.^[1] Three months later, on June 22, 2020, Sensor Tower acquired ActionDash & StayFree & framed the deal as a transparent, opt-in replacement for the prior consumer-panel pipeline.^[11]^[14]

December 2025 Secure Annex "Prompt Poaching" identification

On December 28, 2025, John Tuckner of Secure Annex published a technical analysis of what he called "prompt poaching," a technique in which browser extensions capture & exfiltrate user conversations with AI chatbots.^[3] Tuckner's primary subject was the Similarweb extension, but in the same post he named Sensor Tower's StayFocusd as a second example of the same pattern:

We've also discovered past versions of the extension Stayfocusd, a featured productivity extension run by the a similar web analytics company, Sensor Tower, containing behaviorally similar code which has recently been updated to be only slightly less invasive containing metadata about conversations but not the conversations themselves.^[3]

Cybernews & The Hacker News repeated the StayFocusd attribution in follow-up coverage on December 31, 2025 & January 6, 2026 respectively.^[15]^[16] The detailed code & remote-config samples in Tuckner's post (gpt_con_delta_fetch, claudeai_con_fetch, bard_qa, perplexity_html) describe Similarweb's extension, not Sensor Tower's; Tuckner's specific finding for StayFocusd was that the extension carried behaviorally similar code that had been narrowed, by the time of publication, to collecting conversation metadata rather than full chat text.^[3]

2026 amibeingpwned Wall of Shame

On May 11, 2026, James Arnott published The AI Chat Scraping Extension Wall of Shame on amibeingpwned.com, classifying eight extensions across two buckets: Confirmed (AI-chat content observed leaving the browser during sandbox testing) & Capability (the exfiltration code path & remote endpoint are present & wired up but did not fire during the observation window, which Arnott attributed to server-side gating).^[4] StayFocusd was listed at #4 with 700,000 users; StayFree at #7 with 200,000 users; both were attributed to Sensor Tower & both were classified Capability with LZ-String light obfuscation.^[4]

Arnott reported that StayFocusd's AI-chat-scraping remote-config gate had flipped between an earlier test & publication:

We saw StayFocusd set up their infrastructure for AI chat scraping. When we tested it before there was only a remote config which they could enable at any point, but it wasn't enabled.^[4]

He also described a URL-exfiltration filter that was US-centric, listing exceptions for adult sites, US health sites & regex matches against US-format identifiers such as Social Security numbers & ZIP codes, with no equivalent protection for non-US users (UK users were named explicitly).^[4] Arnott described the StayFree sibling extension in one sentence:

It essentially has the same features as StayFocusd, same remote activated capability to scrape AI chats and collect URLs, with limited PII exceptions.^[4]

References

↑ ^1.0 ^1.1 ^1.2 ^1.3 ^1.4 ^1.5 ^1.6 ^1.7 ^1.8 Silverman, Craig (March 10, 2020). "Popular VPN And Ad-Blocking Apps Are Secretly Harvesting User Data". Pixel Envy. Retrieved May 30, 2026.
↑ ^2.0 ^2.1 "At Least 20 VPN and Ad-Blocking Apps With 35 Million Downloads Have Been Secretly Harvesting Data". Gizmodo. March 9, 2020. Retrieved May 30, 2026.
↑ ^3.0 ^3.1 ^3.2 ^3.3 Tuckner, John (December 28, 2025). "Prompt poaching runs rampant in extensions". Annex Blog. Secure Annex. Retrieved May 30, 2026.
↑ ^4.0 ^4.1 ^4.2 ^4.3 ^4.4 ^4.5 ^4.6 ^4.7 ^4.8 Arnott, James (May 11, 2026). "The AI Chat Scraping Extension Wall of Shame". Am I Being Pwned?. Retrieved May 30, 2026.
↑ "About Sensor Tower". Sensor Tower. Retrieved May 30, 2026.
↑ ^6.0 ^6.1 "StayFocusd - Website Blocker & Focus Timer & Shorts Blocker". Chrome Web Store. Sensor Tower. Retrieved May 30, 2026.
↑ ^7.0 ^7.1 ^7.2 "Responsibly Sourced Data". Sensor Tower. Retrieved May 30, 2026.
↑ ^8.0 ^8.1 ^8.2 Template:Cite press release
↑ "Sensor Tower acquires data.ai". GamesIndustry.biz. March 19, 2024. Retrieved May 30, 2026.
↑ Template:Cite press release
↑ ^11.0 ^11.1 "Sensor Tower acquires StayFree and ActionDash apps". PocketGamer.biz. June 22, 2020. Retrieved May 30, 2026.
↑ "StayFree - Screen Time Tracker & Limit App Usage". Chrome Web Store. Sensor Tower. Retrieved May 30, 2026.
↑ ^13.0 ^13.1 "Analytics platform secretly scraped user data via VPN apps". Engadget. March 10, 2020. Retrieved May 30, 2026.
↑ "Sensor Tower announces its acquisition of popular digital wellbeing apps ActionDash and StayFree". Sensor Tower. Retrieved May 30, 2026.
↑ "Legit browser extensions poaching AI chats". Cybernews. December 31, 2025. Retrieved May 30, 2026.
↑ "Two Chrome Extensions Caught Stealing AI Chats". The Hacker News. January 6, 2026. Retrieved May 30, 2026.

[buzzfeed-pxlnv-1] 1.0 ^1.1 ^1.2 ^1.3 ^1.4 ^1.5 ^1.6 ^1.7 ^1.8 Silverman, Craig (March 10, 2020). "Popular VPN And Ad-Blocking Apps Are Secretly Harvesting User Data". Pixel Envy. Retrieved May 30, 2026.

[gizmodo-2] 2.0 ^2.1 "At Least 20 VPN and Ad-Blocking Apps With 35 Million Downloads Have Been Secretly Harvesting Data". Gizmodo. March 9, 2020. Retrieved May 30, 2026.

[tuckner-3] 3.0 ^3.1 ^3.2 ^3.3 Tuckner, John (December 28, 2025). "Prompt poaching runs rampant in extensions". Annex Blog. Secure Annex. Retrieved May 30, 2026.

[arnott-4] 4.0 ^4.1 ^4.2 ^4.3 ^4.4 ^4.5 ^4.6 ^4.7 ^4.8 Arnott, James (May 11, 2026). "The AI Chat Scraping Extension Wall of Shame". Am I Being Pwned?. Retrieved May 30, 2026.

[st-about-5] "About Sensor Tower". Sensor Tower. Retrieved May 30, 2026.

[cws-stayfocusd-6] 6.0 ^6.1 "StayFocusd - Website Blocker & Focus Timer & Shorts Blocker". Chrome Web Store. Sensor Tower. Retrieved May 30, 2026.

[responsibly-sourced-7] 7.0 ^7.1 ^7.2 "Responsibly Sourced Data". Sensor Tower. Retrieved May 30, 2026.

[dataai-acquisition-8] 8.0 ^8.1 ^8.2 Template:Cite press release

[gamesindustry-9] "Sensor Tower acquires data.ai". GamesIndustry.biz. March 19, 2024. Retrieved May 30, 2026.

[pathmatics-10] Template:Cite press release

[pocketgamer-11] 11.0 ^11.1 "Sensor Tower acquires StayFree and ActionDash apps". PocketGamer.biz. June 22, 2020. Retrieved May 30, 2026.

[cws-stayfree-12] "StayFree - Screen Time Tracker & Limit App Usage". Chrome Web Store. Sensor Tower. Retrieved May 30, 2026.

[engadget-13] 13.0 ^13.1 "Analytics platform secretly scraped user data via VPN apps". Engadget. March 10, 2020. Retrieved May 30, 2026.

[st-actiondash-14] "Sensor Tower announces its acquisition of popular digital wellbeing apps ActionDash and StayFree". Sensor Tower. Retrieved May 30, 2026.

[cybernews-15] "Legit browser extensions poaching AI chats". Cybernews. December 31, 2025. Retrieved May 30, 2026.

[thn-16] "Two Chrome Extensions Caught Stealing AI Chats". The Hacker News. January 6, 2026. Retrieved May 30, 2026.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

@@ Line 32: / Line 32: @@
 Randy Nelson, Sensor Tower's head of mobile insights, told BuzzFeed News in an on-the-record statement that the company had not disclosed ownership ''"for competitive reasons,"''<ref name="buzzfeed-pxlnv" /><ref name="engadget">{{Cite web |title=Analytics platform secretly scraped user data via VPN apps |url=https://www.engadget.com/2020-03-10-analytics-platform-secretly-scraped-user-data-sensor-tower-vpn.html |website=Engadget |date=March 10, 2020 |access-date=May 30, 2026}}</ref> adding:
-<blockquote>''When you consider the relationship between these types of apps and an analytics company, it makes a lot of sense ... especially considering our history as a startup.''</blockquote><ref name="buzzfeed-pxlnv" />
+<blockquote>''When you consider the relationship between these types of apps and an analytics company, it makes a lot of sense ... especially considering our history as a startup.''<ref name="buzzfeed-pxlnv" /></blockquote>
 After being contacted by BuzzFeed News, Apple removed Adblock Focus & said it would continue investigating Luna VPN; Google removed Mobile Data.<ref name="buzzfeed-pxlnv" /><ref name="engadget" /> An Apple spokesperson said a dozen earlier Sensor Tower apps had already been removed from the App Store for policy violations.<ref name="buzzfeed-pxlnv" /> Three months later, on June 22, 2020, Sensor Tower acquired ActionDash & StayFree & framed the deal as a transparent, opt-in replacement for the prior consumer-panel pipeline.<ref name="pocketgamer" /><ref name="st-actiondash">{{Cite web |title=Sensor Tower announces its acquisition of popular digital wellbeing apps ActionDash and StayFree |url=https://sensortower.com/blog/actiondash-stayfree-acquisition-announcement |website=Sensor Tower |access-date=May 30, 2026}}</ref>
@@ Line 42: / Line 42: @@
 On December 28, 2025, John Tuckner of Secure Annex published a technical analysis of what he called ''"prompt poaching,"'' a technique in which browser extensions capture & exfiltrate user conversations with AI chatbots.<ref name="tuckner" /> Tuckner's primary subject was the Similarweb extension, but in the same post he named Sensor Tower's StayFocusd as a second example of the same pattern:
-<blockquote>''We've also discovered past versions of the extension Stayfocusd, a featured productivity extension run by the a similar web analytics company, Sensor Tower, containing behaviorally similar code which has recently been updated to be only slightly less invasive containing metadata about conversations but not the conversations themselves.''</blockquote><ref name="tuckner" />
+<blockquote>''We've also discovered past versions of the extension Stayfocusd, a featured productivity extension run by the a similar web analytics company, Sensor Tower, containing behaviorally similar code which has recently been updated to be only slightly less invasive containing metadata about conversations but not the conversations themselves.''<ref name="tuckner" /></blockquote>
 Cybernews & The Hacker News repeated the StayFocusd attribution in follow-up coverage on December 31, 2025 & January 6, 2026 respectively.<ref name="cybernews">{{Cite web |title=Legit browser extensions poaching AI chats |url=https://cybernews.com/security/legit-browser-extensions-poaching-ai-chats/ |website=Cybernews |date=December 31, 2025 |access-date=May 30, 2026}}</ref><ref name="thn">{{Cite web |title=Two Chrome Extensions Caught Stealing AI Chats |url=https://thehackernews.com/2026/01/two-chrome-extensions-caught-stealing.html |website=The Hacker News |date=January 6, 2026 |access-date=May 30, 2026}}</ref> The detailed code & remote-config samples in Tuckner's post (gpt_con_delta_fetch, claudeai_con_fetch, bard_qa, perplexity_html) describe Similarweb's extension, not Sensor Tower's; Tuckner's specific finding for StayFocusd was that the extension carried behaviorally similar code that had been narrowed, by the time of publication, to collecting conversation metadata rather than full chat text.<ref name="tuckner" />
@@ Line 54: / Line 54: @@
 Arnott reported that StayFocusd's AI-chat-scraping remote-config gate had flipped between an earlier test & publication:
-<blockquote>''We saw StayFocusd set up their infrastructure for AI chat scraping. When we tested it there was only a remote config which they could enable at any point, but it wasn't enabled.''</blockquote><ref name="arnott" />
+<blockquote>''We saw StayFocusd set up their infrastructure for AI chat scraping. When we tested it before there was only a remote config which they could enable at any point, but it wasn't enabled.''<ref name="arnott" /></blockquote>
 He also described a URL-exfiltration filter that was US-centric, listing exceptions for adult sites, US health sites & regex matches against US-format identifiers such as Social Security numbers & ZIP codes, with no equivalent protection for non-US users (UK users were named explicitly).<ref name="arnott" /> Arnott described the StayFree sibling extension in one sentence:
-<blockquote>''It essentially has the same features as StayFocusd, same remote activated capability to scrape AI chats and collect URLs, with limited PII exceptions.''</blockquote><ref name="arnott" />
+<blockquote>''It essentially has the same features as StayFocusd, same remote activated capability to scrape AI chats and collect URLs, with limited PII exceptions.''<ref name="arnott" /></blockquote>
 <!-- INCIDENT_SCORE: 75 | Independent sandbox-verified Capability classification by named researcher (James Arnott / amibeingpwned.com); remote-config gate for AI-chat scraping was active by publication date; PII filter is US-centric & breaks for non-US users; same publisher pattern observed in 2020 BuzzFeed disclosure (mobile apps) now extended to browser extensions (StayFocusd & StayFree, both Sensor Tower) -->
 ==See also==
 *[[StayFocusd]]
 *[[StayFree (Chrome extension)]]
@@ Line 71: / Line 69: @@
 ==References==
+{{Reflist}}
-{{reflist}}
 [[Category:Sensor Tower]]