International researchers have uncovered a covert tracking method used by Meta and Russian tech giant Yandex that allows their Android applications to monitor users' web browsing habits, even when users believe they are browsing privately.
The technique, which affects billions of Android users, exploits a system loophole to link anonymous browsing sessions with user identities by connecting websites' tracking scripts directly to native smartphone applications. Meta began deploying this method in September 2024, while Yandex has employed it since 2017 without detection.
The tracking system works when users have Facebook, Instagram, or various Yandex applications installed on their Android devices1. When users visit websites containing Meta Pixel or Yandex Metrica tracking scripts—embedded on approximately 20% of popular websites—these scripts establish connections through localhost ports to communicate directly with the native apps21.
This bypasses Android's privacy protections, including incognito mode, VPN usage, and the operating system's app sandboxing designed to prevent such data sharing31. The method allows companies to associate web cookies and browsing histories with device identifiers like Android Advertising IDs, effectively de-anonymizing users' online activities1.
Both Google and Mozilla indicated they are investigating potential violations of their platforms' terms of service. "The behavior violates the terms of service for its Play marketplace and the privacy expectations of Android users," a Google representative told Ars Technica1.
Mozilla announced it is developing protections for Firefox users on Android against this tracking method2. Neither Meta nor Yandex responded to requests for comment from multiple outlets1.
Hours after the research became public today, investigators observed that Meta's tracking communications had ceased entirely, with code references to the tracking cookies largely removed13.
The discovery raises questions about the effectiveness of existing privacy tools. Unlike traditional cookie-based tracking, this method circumvents user attempts to maintain browsing privacy through standard protective measures1.
The technique also creates vulnerabilities beyond the intended tracking. Researchers demonstrated that malicious third-party applications could potentially eavesdrop on users' browsing activity by listening on the same localhost ports, accessing browsing histories across multiple browsers including Chrome, Firefox, and Edge1.
"We consider these to be violations of user privacy expectations," Mozilla stated regarding the tracking method2. The timing coincides with increasing regulatory scrutiny of tech companies' data collection practices and growing user adoption of privacy protection tools.