Meta, Yandex secretly tracked Android users' browsing
International researchers have uncovered a covert tracking method used by Meta and Russian tech giant Yandex that allows their Android applications to monitor users' web browsing habits, even when users believe they are browsing privately.
The technique, which affects billions of Android users, exploits a system loophole to link anonymous browsing sessions with user identities by connecting websites' tracking scripts directly to native smartphone applications. Meta began deploying this method in September 2024, while Yandex has employed it since 2017 without detection.
Curated by
kevinrequill
3 min read
Published
42,650
2,281
morningbrew.com
Technical Exploitation
The tracking system works when users have Facebook, Instagram, or various Yandex applications installed on their Android devices1. When users visit websites containing Meta Pixel or Yandex Metrica tracking scripts—embedded on approximately 20% of popular websites—these scripts establish connections through localhost ports to communicate directly with the native apps21.
This bypasses Android's privacy protections, including incognito mode, VPN usage, and the operating system's app sandboxing designed to prevent such data sharing31. The method allows companies to associate web cookies and browsing histories with device identifiers like Android Advertising IDs, effectively de-anonymizing users' online activities1.
3 sources
Industry Response
Both Google and Mozilla indicated they are investigating potential violations of their platforms' terms of service. "The behavior violates the terms of service for its Play marketplace and the privacy expectations of Android users," a Google representative told Ars Technica1.
Mozilla announced it is developing protections for Firefox users on Android against this tracking method2. Neither Meta nor Yandex responded to requests for comment from multiple outlets1.
Hours after the research became public today, investigators observed that Meta's tracking communications had ceased entirely, with code references to the tracking cookies largely removed13.
3 sources
Privacy Implications
The discovery raises questions about the effectiveness of existing privacy tools. Unlike traditional cookie-based tracking, this method circumvents user attempts to maintain browsing privacy through standard protective measures1.
The technique also creates vulnerabilities beyond the intended tracking. Researchers demonstrated that malicious third-party applications could potentially eavesdrop on users' browsing activity by listening on the same localhost ports, accessing browsing histories across multiple browsers including Chrome, Firefox, and Edge1.
"We consider these to be violations of user privacy expectations," Mozilla stated regarding the tracking method2. The timing coincides with increasing regulatory scrutiny of tech companies' data collection practices and growing user adoption of privacy protection tools.
2 sources
Related
How can I detect if my Android apps are using this tracking method
Why did Meta stop the tracking code after the research was published
What steps are Mozilla taking to protect Firefox users from this covert tracking
Discover more
16 billion stolen passwords discovered in massive breach
Security researchers have uncovered what appears to be one of the largest collections of stolen login credentials in history, exposing more than 16 billion usernames and passwords from major technology platforms including Apple, Google, and Facebook. The discovery, reported today by Cybernews, represents fresh data collected through malware rather than recycled information from previous...
9,218
Italy opens probe into AI firm DeepSeek over hallucination risks
Italy's antitrust watchdog AGCM has launched a formal investigation into Chinese artificial intelligence startup DeepSeek for allegedly failing to adequately warn users about the risk of "hallucinations" - situations where the AI model generates inaccurate, misleading, or fabricated information in response to user inputs, as reported by Reuters.
6,498
Meta AI app exposes private conversations to public feed
According to reports from TechCrunch, Meta's standalone AI app has become a privacy nightmare, with users unknowingly publishing their private conversations with the chatbot to a public "Discover" feed that exposes sensitive personal information including medical queries, financial matters, and even home addresses.
14,694
Meta sues CrushAI over nonconsensual nudity app ads
Meta Platforms has filed a lawsuit in Hong Kong against Joy Timeline HK Limited, the company behind CrushAI, an AI-powered app that creates nonconsensual nude images of people, after the app maker repeatedly circumvented Meta's ad review process to advertise on Facebook and Instagram despite violating platform policies, as reported by multiple sources.
2,917