Home
Finance
Travel
Academic
Library
Create a Thread
Home
Discover
Spaces
 
 
  • Introduction
  • Technical Exploitation
  • Industry Response
  • Privacy Implications
Meta, Yandex secretly tracked Android users' browsing

International researchers have uncovered a covert tracking method used by Meta and Russian tech giant Yandex that allows their Android applications to monitor users' web browsing habits, even when users believe they are browsing privately.

The technique, which affects billions of Android users, exploits a system loophole to link anonymous browsing sessions with user identities by connecting websites' tracking scripts directly to native smartphone applications. Meta began deploying this method in September 2024, while Yandex has employed it since 2017 without detection.

User avatar
Curated by
kevinrequill
3 min read
Published
42,650
2,281
localmess.github.io favicon
localmess.github.io
Covert Web-to-App Tracking via Localhost on Android
english.elpais.com favicon
english.elpais
The covert method Meta uses to track mobile browsing without consent
The covert method Meta uses to track mobile browsing without consent
androidpolice.com favicon
androidpolice
Researchers catch Meta apps abusing Android to track sensitive ...
Researchers catch Meta apps abusing Android to track sensitive ...
lifetechnology.com favicon
cyberscoop.com favicon
brand-activator.eu favicon
+24 sources
Two things Zuck admitted at Meta's antitrust trial
morningbrew.com
Technical Exploitation

The tracking system works when users have Facebook, Instagram, or various Yandex applications installed on their Android devices1. When users visit websites containing Meta Pixel or Yandex Metrica tracking scripts—embedded on approximately 20% of popular websites—these scripts establish connections through localhost ports to communicate directly with the native apps21.

This bypasses Android's privacy protections, including incognito mode, VPN usage, and the operating system's app sandboxing designed to prevent such data sharing31. The method allows companies to associate web cookies and browsing histories with device identifiers like Android Advertising IDs, effectively de-anonymizing users' online activities1.

localmess.github.io favicon
english.elpais.com favicon
androidpolice.com favicon
3 sources
Industry Response

Both Google and Mozilla indicated they are investigating potential violations of their platforms' terms of service. "The behavior violates the terms of service for its Play marketplace and the privacy expectations of Android users," a Google representative told Ars Technica1.

Mozilla announced it is developing protections for Firefox users on Android against this tracking method2. Neither Meta nor Yandex responded to requests for comment from multiple outlets1.

Hours after the research became public today, investigators observed that Meta's tracking communications had ceased entirely, with code references to the tracking cookies largely removed13.

androidpolice.com favicon
english.elpais.com favicon
localmess.github.io favicon
3 sources
Privacy Implications

The discovery raises questions about the effectiveness of existing privacy tools. Unlike traditional cookie-based tracking, this method circumvents user attempts to maintain browsing privacy through standard protective measures1.

The technique also creates vulnerabilities beyond the intended tracking. Researchers demonstrated that malicious third-party applications could potentially eavesdrop on users' browsing activity by listening on the same localhost ports, accessing browsing histories across multiple browsers including Chrome, Firefox, and Edge1.

"We consider these to be violations of user privacy expectations," Mozilla stated regarding the tracking method2. The timing coincides with increasing regulatory scrutiny of tech companies' data collection practices and growing user adoption of privacy protection tools.

localmess.github.io favicon
english.elpais.com favicon
2 sources
Related
How can I detect if my Android apps are using this tracking method
Why did Meta stop the tracking code after the research was published
What steps are Mozilla taking to protect Firefox users from this covert tracking
Discover more
16 billion stolen passwords discovered in massive breach
16 billion stolen passwords discovered in massive breach
Security researchers have uncovered what appears to be one of the largest collections of stolen login credentials in history, exposing more than 16 billion usernames and passwords from major technology platforms including Apple, Google, and Facebook. The discovery, reported today by Cybernews, represents fresh data collected through malware rather than recycled information from previous...
9,218
Italy opens probe into AI firm DeepSeek over hallucination risks
Italy opens probe into AI firm DeepSeek over hallucination risks
Italy's antitrust watchdog AGCM has launched a formal investigation into Chinese artificial intelligence startup DeepSeek for allegedly failing to adequately warn users about the risk of "hallucinations" - situations where the AI model generates inaccurate, misleading, or fabricated information in response to user inputs, as reported by Reuters.
6,498
Meta AI app exposes private conversations to public feed
Meta AI app exposes private conversations to public feed
According to reports from TechCrunch, Meta's standalone AI app has become a privacy nightmare, with users unknowingly publishing their private conversations with the chatbot to a public "Discover" feed that exposes sensitive personal information including medical queries, financial matters, and even home addresses.
14,694
Meta sues CrushAI over nonconsensual nudity app ads
Meta sues CrushAI over nonconsensual nudity app ads
Meta Platforms has filed a lawsuit in Hong Kong against Joy Timeline HK Limited, the company behind CrushAI, an AI-powered app that creates nonconsensual nude images of people, after the app maker repeatedly circumvented Meta's ad review process to advertise on Facebook and Instagram despite violating platform policies, as reported by multiple sources.
2,917