Meta and Yandex are facing intense scrutiny after a team of academic researchers revealed that both tech giants exploited a hidden quirk in Android’s operating system to track users’ online behavior. By quietly using native Android apps to listen for data sent from web browsers on the same device, the companies were reportedly able to match anonymous browsing activity with real user identities—without users ever realizing it.
This technique bypassed standard privacy protections that users typically rely on, including clearing cookies, using Incognito Mode, or denying app permissions. The revelations have raised serious concerns about how mobile apps may silently bridge gaps between web and app tracking in ways that users—and even many developers—never anticipated.
The Technical Loophole: How It Worked
The method at the center of the controversy revolves around something called “localhost”—a network interface on your phone that allows apps to communicate with themselves for testing purposes. Ordinarily harmless, localhost becomes problematic when misused.
According to researchers from IMDEA Networks (Spain), Radboud University (Netherlands), and KU Leuven (Belgium), Meta and Yandex designed their Android apps—such as Facebook, Instagram, Yandex Maps, and Yandex Browser—to secretly listen for browser data via these localhost ports. Meanwhile, tracking scripts embedded on thousands of websites—like Meta Pixel and Yandex Metrica—sent browsing data and cookies to those apps in the background.
By combining this browser data with persistent identifiers stored in their native apps—like login credentials or device IDs—the companies could match web activity with real user profiles, essentially erasing the line between app-based and browser-based tracking.
Privacy Protections Rendered Useless
The study found that this technique undermined many common privacy safeguards. Even if a user cleared their cookies, browsed in private mode, or restricted app permissions, the localhost bridge allowed companies to bypass those limitations.
“It breaks the assumption that cookies from one website can’t follow you across the internet,” the researchers explained. “Because these native apps can receive data directly from the browser, they can re-identify you even after you’ve taken steps to stay private.”
The paper names five researchers—Aniketh Girish, Gunes Acar, Narseo Vallina-Rodriguez, Nipuna Weerasekara, and Tim Vlummens—who documented how these tracking tactics were deployed in the real world. The most concerning discovery was that the apps didn’t just gather data from websites owned by Meta or Yandex; they could extract information from any site embedding their analytics scripts.
Meta Hits Pause, Blames Policy Confusion
Following the publication of the research, Meta appeared to backtrack. A spokesperson confirmed that the company had paused the controversial data collection feature and was “in discussions with Google to address a potential miscommunication regarding the application of their policies.”
While Meta did not go into detail, it appears that the company may have overstepped rules in Google’s Play Store, which strictly prohibits covert data harvesting practices.
Researchers confirmed that as of June 3, 2025, the Meta Pixel script was no longer transmitting data to localhost. The underlying code that enabled this type of tracking was also mostly removed, suggesting that Meta is attempting to get ahead of regulatory or platform consequences.
A Step-by-Step Breakdown of Meta’s Method
Here’s how Meta’s system reportedly worked:
- A user opens the Facebook or Instagram Android app, which quietly activates a background service.
- This service opens network ports, allowing it to listen for incoming messages from the browser.
- When the user later visits a website that uses Meta Pixel, the script sends tracking cookies—like the
_fbpidentifier—to the open ports using WebRTC protocols. - The app then receives this data and forwards it, along with the user’s account details, to Meta servers using GraphQL.
- The end result? A direct connection between anonymous browsing activity and the user’s actual Facebook or Instagram account.
Meta is believed to have tested the HTTP version of this approach as early as September 2024. After third-party developers raised red flags in public forums, the company stopped sending data over HTTP—but continued with alternative methods such as WebRTC, STUN, and TURN until the practice ended entirely in mid-2025.
Yandex’s Tracking Tactics Date Back Years
While Meta’s use of this technique was relatively recent, Yandex has reportedly been using similar localhost-based tracking since at least 2017. Yandex’s Android apps, including its Maps and Browser tools, were also found listening on fixed local ports to receive data from its analytics script, Yandex Metrica.
Efforts to contact Yandex for comment were unsuccessful, with emails from reporters reportedly flagged as spam.
Browser Makers Push Back with Fixes
In response to the findings, major browser vendors have started rolling out protections:
- Google Chrome added code in version 137 (released May 26, 2025) to block the specific WebRTC manipulation used by Meta, though this fix is currently limited to select users.
- Mozilla Firefox is developing its own safeguards.
- Brave wasn’t affected by the issue, as it already requires user consent for localhost communication.
- DuckDuckGo has updated its blocklists to stop Yandex’s tracking scripts from executing.
In addition, the researchers are encouraging Android developers to adopt a new “local network access” permission setting, which would require apps to declare—and get user approval for—any attempt to use localhost for communication. An earlier version of this proposal faced technical setbacks, but the recent revelations could reignite interest.
