A recent international research collaboration has uncovered a potential privacy abuse involving Meta and the Russian tech giant Yandex. The investigation found that native Android apps, including Facebook, Instagram, and several Yandex apps, silently listen on fixed local ports on mobile devices to de-anonymize users’ browsing habits without consent.
The tracking code embedded in millions of websites by Meta’s Pixel and Yandex Metrica allows them to map Android users’ browsing habits with their persistent identities. This method bypasses Android’s permission controls and even browsers’ Incognito Mode, affecting all major Android browsers.
Researchers from IMDEA Networks, Radboud University, and KU Leuven have disclosed the issue to several browser vendors, who are actively working on mitigations. Chrome’s mitigation is scheduled to go into effect soon.
The tracking companies have been using this bypass for a long time: since 2017 in the case of Yandex, and Meta since September 2024. The number of people affected by this abuse is high, given that Meta Pixel and Yandex Metrica are estimated to be installed on 5.8 million and 3 million sites, respectively.
The tracking procedure involves using localhost sockets to create a local web server within the app. Modern browsers offer JavaScript code programmatic support for sending HTTP requests or WebSocket messages to the localhost or WebRTC APIs. However, the bridging between the trackers and native Android apps controls generates persistent IDs.
Researchers found that Meta’s Pixel uses localhost channels to share browser identifiers via WebRTC with their native apps like Facebook or Instagram. Yandex takes a more passive but equally invasive route: its AppMetrica SDK embedded in Yandex apps listens on local ports, captures inbound web tracking data, aggregates it with mobile-level identifiers, and feeds the enriched profile back to the Yandex pixel embedded in the website.
The investigation highlights that both trackers achieve the same result—seamlessly linking mobile and web identities without the user ever opting in. To prevent this type of abuse, researchers recommend overhauling the way mobile platforms and browsers handle access to local ports. This includes implementing new sandboxing principles, more testing models, stricter platform policies, and store vetting processes.
The research team has disclosed their findings to several browser vendors, who are actively working on mitigations. However, it is unclear whether Meta or Yandex have disclosed these tracking capabilities to either the websites hosting the trackers or the end users who visit those sites.
Source: https://techxplore.com/news/2025-06-privacy-abuse-involving-meta-yandex.html