Millions installed these AI apps, but researchers warn of leaked user locations

Published: 4 February 2026
Last updated: 4 February 2026
apps location
Image by Cybernews

Popular AI photo identification apps with 2 million downloads have exposed their users' GPS coordinates. Researchers found that attackers have already compromised the data.

While it’s very convenient that AI can recognize animals and insects from a single picture, granting an app access to your devices is always risky.

Cybernews research has just uncovered that three popular photo identification apps downloaded 2 million times on Google Play have been leaking data from over 150,000 users.

ADVERTISEMENT

What data has been leaked?

  • Email addresses
  • Usernames, commonly including full names
  • Firebase Cloud Messaging (FCM) notification tokens
  • Profile photos
  • GPS coordinates

While the leaked data does not appear to include passwords, the exposed information is still highly sensitive.

Along with personally identifiable information (PII), the apps also leaked user locations, either by retrieving it from uploaded photos or by harvesting it through the apps’ permissions.

Leaked GPS coordinates are especially sensitive. Location details from the apps might reveal where users live or their movement habits, which might be exploited by malicious actors.

Leaked AI apps' user data
Leaked AI apps' user data. Screenshot by Cybernews.

Exposed profile photos and usernames can be used to link users to their real identities. Attackers can also exploit stolen FCM tokens to send malicious push notifications that appear to come from the real app.

Researchers note that leaked data could be exploited in targeted social engineering attacks. It might also put users at risk of stalking or doxxing.

ADVERTISEMENT

The risk substantially increases if attackers cross-reference the currently leaked data with data from previous breaches.

AI apps affected by the data leak

  • Dog Breed Identifier Photo Cam (500K downloads, 66,182 users affected)
  • Spider Identifier App by Photo (500K downloads, 40,779 users affected)
  • Insect identifier by Photo Cam (1M downloads, 45,005 users affected)

All three apps had the same type of Firebase misconfiguration. The leak was caused by insufficient authentication and access controls, which allowed anyone to access sensitive user information.

All affected apps had more downloads than affected individuals, suggesting that only some optional features relied on the misconfigured Firebase instances.

Attackers have already found the instances

To make matters worse, researchers discovered that all three apps were connected to Firebase instances with public read and write access enabled, which is a serious security lapse.

Each database also contained a “poc” (Proof of Concept) entry, a common marker left behind by automated bots that scan the internet for unsecured databases.

MobilMinds data leak
Leaked data. Screenshot by Cybernews.

The presence of these entries suggests the databases were not only exposed but also likely discovered by threat actors before the research team found them.

ADVERTISEMENT

“The number of app installs is significant. It's a common metric users rely on to gauge the app’s popularity, which is also a trust factor,” said the Cybernews research team.

“These data leaks show that relying solely on an app's popularity to gauge its security is not enough.”

No response from developers

The apps were published under the developer name MobilMinds applications. However, the Google Play developer profile also references another company, OZI Technologies Private Limited, that is based in Pakistan.

Ozi Technologies’ website states that the company operates in multiple countries, including Pakistan, the UAE, and the United States, and claims to have a workforce of more than 1,000 employees.

MobilMinds data leak
Detected hardcoded secrets. Screenshot by Cybernews.

The company advertises services ranging from mobile app and game development to digital marketing, web development, and custom software for business clients.

Cybernews has contacted the app developers multiple times but received no answer.

AI apps are leaking secrets

The current discovery is part of a larger-scale research into Android AI applications. Cybernews research uncovered that 72% percent of the analyzed apps contained at least one hardcoded secret.

ADVERTISEMENT

Despite the cybersecurity community vetting such practice as one of the worst, the numbers show it is still a widely spread issue.

On average, an AI app leaks 5.1 secrets, and 81.14% of the detected secrets were related to Google Cloud Project identifiers, endpoints, and API keys.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Disclosure timeline

First metadata index: December 2nd, 2025
Full indexing and investigation: December 11th, 2025
Initial disclosure: December 12th, 2025
CERT contacted: December 19th, 2025

Unlock more exclusive Cybernews content on YouTube

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked