Sensor Tower

Sensor Tower is a San Francisco mobile- and digital-intelligence company whose consumer-facing products have been independently documented exfiltrating user data on two separate occasions. In March 2020, BuzzFeed News reported that the company had secretly operated at least 20 VPN and ad-blocking mobile applications since 2015, with more than 35 million collective downloads, that prompted users to install a root certificate granting access to all traffic passing through the phone.^[1][2] In December 2025 and again in May 2026, security researchers identified two Sensor Tower-owned Chrome extensions, StayFocusd (~700,000 users) & StayFree (~200,000 users), as carrying the infrastructure to capture user conversations with AI chatbots.^[3][4]

Sensor Tower was founded in 2013^[5] & lists 275 Battery Street, Suite 800, San Francisco, California as its publisher address on the Chrome Web Store.^[6] The company sells enterprise app & digital-advertising analytics, including its Store Intelligence, Ad Intelligence, Usage Intelligence & Pathmatics products, to brands, agencies, publishers & investors.^[7] Named clients listed by the company include Microsoft, Sky, Bandai Namco, Western Union, Procter & Gamble, Duolingo, Spotify, Coca-Cola & Activision Blizzard.^[7][8]

Riverwood Capital is Sensor Tower's principal private-equity sponsor.^[8] On March 18, 2024, Sensor Tower acquired its largest competitor in app market intelligence, data.ai (formerly App Annie), in a transaction financed by Bain Capital Credit; the combined company reported a customer base of more than 2,000 enterprises.^[8] Roughly 200 data.ai employees were laid off after the close as Sensor Tower stated it would "optimising our team structure."^[9] Earlier acquisitions include the digital-ad-intelligence firm Pathmatics on May 24, 2021,^[10] & the digital-wellbeing apps ActionDash & StayFree on June 22, 2020.^[11]

Sensor Tower's enterprise business is built on what it calls a "first-party consumer panel" assembled by acquiring & operating free consumer apps & browser extensions whose telemetry feeds the company's paid dashboards.^[7] The company markets this side of the business under the brand ST Pulse, which appears in the footer of Sensor Tower-owned consumer properties.

The two Chrome extensions currently flagged by independent researchers are StayFocusd, a website-blocker & focus-timer with roughly 700,000 users that is published from the Sensor Tower developer account at 275 Battery St,^[6][4] & StayFree, a screen-time tracker with roughly 200,000 Chrome users.^[12][4] Both extensions were classified Capability by James Arnott in May 2026, meaning the exfiltration code path & remote endpoints are wired up but did not fire during his sandbox observation window.^[4]

On March 9, 2020, Craig Silverman of BuzzFeed News reported that Sensor Tower had owned at least 20 Android & iOS apps since 2015, including Free and Unlimited VPN, Luna VPN, Mobile Data & Adblock Focus, with more than 35 million collective downloads.^[1][2] None of the listings disclosed Sensor Tower's ownership or that user data fed the company's analytics products.^[1] Once installed, the apps prompted users to install a root certificate from a third-party website, a small file that, in BuzzFeed's words, lets its issuer "access all traffic and data passing through a phone."^[1] Apple & Google ordinarily restrict root-certificate privileges because of the security risk; Sensor Tower's apps bypassed those restrictions by completing the certificate install outside the store flow.^[1]

Randy Nelson, Sensor Tower's head of mobile insights, told BuzzFeed News in an on-the-record statement that the company had not disclosed ownership "for competitive reasons,"^[1][13] adding:

When you consider the relationship between these types of apps and an analytics company, it makes a lot of sense ... especially considering our history as a startup.

^[1]

After being contacted by BuzzFeed News, Apple removed Adblock Focus & said it would continue investigating Luna VPN; Google removed Mobile Data.^[1][13] An Apple spokesperson said a dozen earlier Sensor Tower apps had already been removed from the App Store for policy violations.^[1] Three months later, on June 22, 2020, Sensor Tower acquired ActionDash & StayFree & framed the deal as a transparent, opt-in replacement for the prior consumer-panel pipeline.^[11][14]

On December 28, 2025, John Tuckner of Secure Annex published a technical analysis of what he called "prompt poaching," a technique in which browser extensions capture & exfiltrate user conversations with AI chatbots.^[3] Tuckner's primary subject was the Similarweb extension, but in the same post he named Sensor Tower's StayFocusd as a second example of the same pattern:

We've also discovered past versions of the extension Stayfocusd, a featured productivity extension run by the a similar web analytics company, Sensor Tower, containing behaviorally similar code which has recently been updated to be only slightly less invasive containing metadata about conversations but not the conversations themselves.

^[3]

Cybernews & The Hacker News repeated the StayFocusd attribution in follow-up coverage on December 31, 2025 & January 6, 2026 respectively.^[15][16] The detailed code & remote-config samples in Tuckner's post (gpt_con_delta_fetch, claudeai_con_fetch, bard_qa, perplexity_html) describe Similarweb's extension, not Sensor Tower's; Tuckner's specific finding for StayFocusd was that the extension carried behaviorally similar code that had been narrowed, by the time of publication, to collecting conversation metadata rather than full chat text.^[3]

On May 11, 2026, James Arnott published The AI Chat Scraping Extension Wall of Shame on amibeingpwned.com, classifying eight extensions across two buckets: Confirmed (AI-chat content observed leaving the browser during sandbox testing) & Capability (the exfiltration code path & remote endpoint are present & wired up but did not fire during the observation window, which Arnott attributed to server-side gating).^[4] StayFocusd was listed at #4 with 700,000 users; StayFree at #7 with 200,000 users; both were attributed to Sensor Tower & both were classified Capability with LZ-String light obfuscation.^[4]

Arnott reported that StayFocusd's AI-chat-scraping remote-config gate had flipped between an earlier test & publication:

We saw StayFocusd set up their infrastructure for AI chat scraping. When we tested it before there was only a remote config which they could enable at any point, but it wasn't enabled. It has since been enabled.

^[4]

He also described a URL-exfiltration filter that was US-centric, listing exceptions for adult sites, US health sites & regex matches against US-format identifiers such as Social Security numbers & ZIP codes, with no equivalent protection for non-US users (UK users were named explicitly).^[4] Arnott described the StayFree sibling extension in one sentence:

It essentially has the same features as StayFocusd, same remote activated capability to scrape AI chats and collect URLs, with limited PII exceptions.

^[4]

• StayFocusd
• StayFree (Chrome extension)
• Browser extension AI chat exfiltration
• SimilarWeb
• Owned it Ltd