The "private data" the app collected, is used, for most part, fingerprint the unique user.
In every MCN app, there was a huge fake user problem. If an app collect zero identifiable fingerprint, then a spammer can easily fake millions of views and manipulate ranked content. The app developers are asked think clever to collect every piece of info they can, while spammers spent night and days spoof every parameter in a virtual machine or even on a matrix of remote controlled real phones.
For example, if a iPhone 11 user logs in, but only with screen resolution of 320x240, is it legit? I have caught tens of thousands of fake users with simple checks like this. However the tricks expires pretty quickly, you have to move on with new feature checks, together with decision trees and bayesian networks.
Some of the fingerprint collecting SDKs are even using native code to check some ARM specific instructions to tell if the device is fake or not. The parameters check had to be done in every important API calls, or spammers can easily pretend be good citizen during parameter checking process and swap the session to a cheaper VM/phone or spam the targeted API with scripts.
Chinese companies all have their own team dealing with frauds or spamming on daily basis, the same way as everything can be faked in China.
Think cyber attacks from Chinese IPs are bad? Now imagine doing business in China and all users of your product are bots, what methods do you have to filter out the real human users? Good luck.
Many ads network SDKs are collecting user data in the same way. Otherwise it's easy to spoof fake clicks and page views.
I not stating if it's the right or wrong thing to do, I am just saying it's how things are done in current state of business.
Yes, ads SDK across different apps can provide detailed aggregated information. Also apps promote each other, the "channel distribution" is huge business and relies on apps acknowledge each other.
I highly doubt many of the Tiktok reverse-engineering result may turn out to be some thirdparty ads or anti-fraud SDKs which Chinese companies use often.
It's an established term to describe org affiliated with youtube/twitch/tiktok/instagram etc.
For some of these operations, you can just work off of the content. Spam messages need to advertise something, so the text needs to look very different than for legit posts.
But something like an upvote or like? It's a single bit of information, you can't say if it's legit or fraudulent in isolation. So then you need to come up with additional signals to cluster on from wherever you can.
Some of it will be behavioural (these 10k users only liked these spammy videos), but a lot of it has to be environmental.
Had to OCR all those god damn avatars.
If visibility on your platform is somewhat commercially relevant, then you will have lots of people pushing fake accounts for various goals. And if you ignore them, then the more technically competent ones will set up offers to sell access to fake accounts on your platform, so that they will be abused also by actors who don't have the ability to create thousands of fake accounts on their own.
This picture explains
Chinese can recycle real iPhone/Android devices at minimal cost. Anyone can rent a fleet of real devices, then RCE software can execute any kind of task you want on a real app on a real phone. So even Apple or Google provide some kind of unique id, e.g. iOS already have something like identifierForVendor, the spammers emulate a real user's app download, registration, login process, thus obtaining a real ID. So what can you do about the ID?
So the obvious solution is to check for more user information beyond a simple ID. Your IP, mac address, wifi router address, other process the OS is running, device parameters, etc. and privacy is f??ked in the process.
PS. Someone correct me if I'm wrong.