Meta and Russian search firm Yandex used hidden background scripts to monitor Android users’ web activity without consent, bypassing incognito mode and browser protections, researchers say.
Hidden Tracking System Uncovered
A new joint investigation has revealed that Meta and Yandex have been covertly collecting the private web browsing data of Android users by exploiting local communication loopholes between mobile apps and browsers. The technique reportedly allowed both companies to bypass standard privacy protections, without the knowledge or consent of users.
The findings were published by an international research team led by Radboud University in the Netherlands and IMDEA Networks Institute in Spain. The group included privacy experts Gunes Acar, Narseo Vallina-Rodriguez, Tim Vlummens (KU Leuven), and others. Their research revealed that Android apps owned by Meta (including Facebook and Instagram) and Yandex (including Yandex Maps, Browser, Navi, and Search) were silently listening on fixed local ports to receive web tracking data via local network connections, thereby effectively joining app-based user identities with users’ browsing habits.
According to the researchers, this practice undermines the technical safeguards built into both Android and modern web browsers, including incognito browsing, cookie restrictions, and third-party tracking protections.
How the Tracking Worked in Practice
Under Android’s permission model, any app granted the “INTERNET” permission (which includes nearly all social media and mapping apps) can start a local server inside the app. Meta and Yandex are reported to have used this ability to set up background listeners on local ports (e.g. via TCP sockets or WebRTC channels).
When users visited websites embedded with Meta Pixel or Yandex Metrica tracking scripts, those scripts could secretly send data to these background ports on the same device. This meant the apps could intercept identifiers and browsing metadata from the websites, despite no direct interaction from the user, and tie them to a logged-in app profile. The researchers say this technique effectively broke down the wall between mobile app usage and private web browsing, two areas users generally expect to remain separate.
Evasion Tactics From Yandex?
While Meta’s version used WebRTC signalling to send identifiers to their native apps, it seems that Yandex implemented a more dynamic system. For example, their apps reportedly downloaded remote configurations and delayed activation for several days after installation, which is behaviour likened by the researchers to malware-like evasion tactics.
Widespread Reach and Long-Term Use
The researchers have reported that the tracking appears to have been extensive. Meta Pixel is currently embedded on approximately 5.8 million websites, while Yandex Metrica is used on more than 3 million. Although the practice was only observed on Android devices, the scale of exposure is, therefore, significant. The researchers report that Yandex has been doing this since at least 2017, while Meta began similar behaviour in late 2024.
Apparent Lack of Disclosure
What makes the findings more concerning is the apparent lack of disclosure to app users, website operators, or browser vendors. For example, developer forums have shown widespread confusion among website owners who were unaware their use of tracking pixels enabled data extraction via app-localhost bridges. Some people reported unexplained localhost calls from Meta’s scripts, with little guidance on what the data was or how it was being used.
Google and Browser Makers Respond
Google, which maintains the Android operating system, has confirmed the tracking method was being used in “unintended ways that blatantly violate our security and privacy principles.” Chrome developers, along with DuckDuckGo and other browser vendors, have now issued patches to block some forms of localhost communication initiated by websites.
Also, Narseo Vallina-Rodríguez, associate professor at IMDEA, noted: “Until our disclosure, Android users were entirely defeated against this tracking method. Most platform operators likely didn’t even consider this in their threat models.”
Countermeasures Rolled Out
As a result of the academic team’s findings, several browser-based countermeasures, such as port-blocking and new sandboxing approaches, are now being rolled out, and Chrome’s patch is reportedly going live imminently.
Meta and Yandex Defend Their Position
In response to the findings, Meta has said it paused the feature and was working with Google to clarify the “application of their policies.”
Yandex, meanwhile, has reportedly denied that any sensitive data was collected, saying that “The feature in question does not collect any sensitive information and is solely intended to improve personalisation within our apps.” However, the researchers argue that the data gathered, including persistent identifiers, browsing activity, and time-stamped behaviour, carries substantial profiling risk.
Privacy Experts Raise the Alarm
Not surprisingly, the episode has drawn some strong criticism from privacy advocates, who argue the tactics used represent a significant overreach and a breach of user trust. For example, the European Digital Rights (EDRi) group issued a statement calling it a “blatant abuse of technical permissions,” while Mozilla Fellow Alice Munyua said the practice “shows exactly why we need more transparency, not less, in how apps interact with user data.”
IMDEA’s Aniketh Girish, one of the study’s co-authors, said the real issue lies in how easily these companies linked users’ web identities to their mobile profiles without any consent or notification.
Implications
For businesses relying on Meta and Yandex advertising tools, the revelations raise fresh questions about the ethical and legal responsibilities of digital marketing. Many companies use Meta Pixel or Yandex Metrica to improve targeting and ad performance, but may now find themselves indirectly involved in opaque data practices.
Businesses Using These Tools Could Be Held Responsible
It seems that businesses using third-party tools like Meta Pixel or Yandex Metrica (e.g. operators and advertisers) aren’t absolved of responsibility if those tools are later found to breach privacy rules. This is because legal and regulatory frameworks such as the UK GDPR place obligations on data controllers to understand and account for how user data is collected and processed, even when using external vendors.
Also, business users and app developers who trust major platforms for analytics and performance tracking may now need to be more cautious.
What Does This Mean For Your Business?
The apparent scale and persistence of this tracking activity reveals more than just a privacy lapse. It shows how trusted platforms may have quietly prioritised data collection over user transparency, thereby exploiting overlooked technical loopholes. The fact that browser-level defences are only now being introduced suggests the issue went unnoticed even by major platform operators.
For UK businesses, the implications are serious. For example, many rely on tools like Meta Pixel or Yandex Metrica for advertising and analytics, but under GDPR, they remain responsible for understanding how data is collected, regardless of who built the tools. This means that if personal data was captured without consent via websites or apps operated in the UK, businesses could be held accountable.
The lack of disclosure to developers and site owners also raises questions about consent and control. If tracking was occurring via localhost connections without their knowledge, they had no way to inform users or adjust settings accordingly. As regulators increase their focus on accountability, ignorance of how embedded tools function is unlikely to offer much protection.
More broadly, this case highlights the need for reform across both mobile platforms and browsers. Researchers say that Android’s local port access requires stronger safeguards, and permission models need updating to prevent similar abuse. Whether that happens will depend on pressure from developers, watchdogs, and public institutions.
At its core, the episode shows how fragile digital trust can be when data is moved behind the scenes without consent. For users and UK businesses alike, the expectation now is not just performance, but clear accountability for how every click and interaction is tracked, stored, and shared.
