How This Briefing Works
This report opens with key findings, then maps the gaps between what Yoc discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Yoc was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Requires claims extraction via CDT”
Defeat device, behavioral biometrics, session recording, cross-domain sync, consent bypass, and fingerprinting detected in runtime
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Yoc
- →Audit defeat device deployment within mobile advertising infrastructure
- →Review session recording scope in mobile campaign workflows
- →Verify cross-domain sync boundaries for mobile-to-web continuity
- →Require consent collection before YOC tracking initialization
If You're Evaluating Yoc
- →Mobile DSP solutions without embedded visitor surveillance beyond ad delivery
- →Privacy-respecting mobile advertising platforms limiting tracking scope
- →Contextual mobile advertising eliminating behavioral targeting and cross-customer intelligence leakage
Negotiation Leverage
- →Challenge defeat device mechanisms within mobile advertising infrastructure
- →Require disclosure of all surveillance capabilities beyond mobile campaign delivery
- →Demand opt-out from cross-customer mobile campaign monitoring analysis
- →Request data processing agreement amendments addressing visitor tracking through mobile DSP platform
- →Negotiate liability indemnification for maximum tracking deployed through mobile advertising infrastructure
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Detection evasion mechanisms obscure tracking deployment within mobile advertising infrastructure.
Keystroke/mouse tracking
Impact: Mobile interaction patterns captured to enhance audience profiles and optimize mobile targeting.
Full session replay
Impact: Mobile sessions captured to contextualize advertising engagement and improve campaign delivery.
Identity stitching
Impact: Mobile advertising synchronized across web and app environments for cross-device continuity.
Ignoring CMP signals
Impact: Tracking mechanisms active through mobile advertising before visitor consent collection completes.
Device identification
Impact: Mobile device characteristics harvested for advertising continuity across apps and mobile web.
IOC Manifest
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
128 detection signatures across scripts, domains, cookies, and network endpoints