An international research collaboration between IMDEA Networks’ Internet Analytics Group, headed by Narseo Vallina-Rodriguez, Prof. Gunes Acar (Radboud University, NL), and Tim Vlummens (KU Leuven, Belgium), has recently uncovered a potential privacy abuse involving Meta and the Russian tech giant Yandex. They found that native Android apps – including Facebook, Instagram, and several Yandex apps such as Maps, Navi, Browser, and Search – silently listen on fixed local ports on mobile devices to de-anonymize users’ browsing habits without consent.

By embedding tracking code into millions of websites, Meta’s Pixel and Yandex Metrica have been able to map Android users’ browsing habits with their persistent identities (that is to say, with the account holder logged in). This method bypasses privacy protections offered by Android’s permission controls and even browsers’ Incognito Mode, affecting all major Android browsers. The international research team has disclosed the issue to several browser vendors, who are actively working on mitigations to limit this type of abuse. For instance, Chrome’s mitigation is scheduled to go into effect very soon.

These tracking companies have been doing this bypass for a long time: since 2017 in the case of Yandex, and Meta since September 2024. The number of people affected by this abuse is high, given that Meta Pixel and Yandex Metrica are estimated to be installed on 5.8 million and 3 million sites, respectively. It is also worth noting that evidence of this tracking practice has been observed only on Android.

Under Android OS’ permission model, any app that declares the INTERNET permission can easily create and run in the background a local web server within the app, utilizing either TCP (HTTP) or UDP (WebRTC) sockets. In the web context, most modern browsers offer JavaScript code programmatic support for sending HTTP requests or WebSocket messages to the localhost (127.0.0.1) or WebRTC APIs to send messages to a listening server.

“What’s interesting here is where the bridging happens and how it allows these trackers to de-anonymize users’ mobile web traffic. In the case of Meta’s Pixel, it uses localhost channels to share browser identifiers via WebRTC with their native apps like Facebook or Instagram, where the data is linked to the user’s logged-in account and quietly relayed to Meta’s servers by the app. Yandex takes a more passive but equally invasive route: its AppMetrica SDK embedded in Yandex apps listens on local ports, captures inbound web tracking data, aggregates it with mobile-level identifiers like the Android Advertising ID, and feeds the enriched profile back to the Yandex pixel embedded in the website. ”, explains Aniketh Girish, PhD Student at IMDEA Networks and one of the researchers of this work. “Despite using different tactics, both trackers achieve the same result—seamlessly linking mobile and web identities without the user ever opting in”, he adds.

When talking about Yandex Metrica, PhD student Nipuna Weerasekara, another of the researchers involved in this study, is clear: “What surprised me most was the dynamic nature of Yandex apps using the AppMetrica SDK. Yandex implements this tracking method in a way that resembles command-and-control nodes in malware, retrieving listening port configurations and start-up delays from Yandex servers at runtime. We observed that these apps wait as long as three days after installation before activating their localhost listeners. We hypothesize that this is an intentional delay to potentially evade investigations. This design allows Yandex apps to adapt instantly and potentially evade Google Chrome’s browser-level mitigations, such as static localhost port blocking. By simply rotating ports on the server-side, these apps can maintain a persistent web-to-app data channel despite countermeasures.”

For Narseo Vallina-Rodríguez, Research Associate Professor at IMDEA Networks and leader of the research group, the solution to prevent this type of abuse is for mobile platforms and browsers to overhaul the way they handle access to local ports. “The fundamental issue enabling this attack is the lack of control over local host communications on most modern platforms. Until our disclosure, Android users targeted by Yandex and Meta’s Pixel were entirely defeated against this tracking method. It is possible that most browser makers and platform operators did not even consider this abuse in their threat models.” However, he adds, “so technical mitigations should not disrupt legitimate usages of localhost sockets like anti-fraud or authentication methods, so it is necessary to complement any technical solution such as new sandboxing principles and more testing models with stricter platform policies and store vetting processes to limit abuse, hence deterring other tracking services from using similar methods in the future”.

There is currently no evidence that Meta or Yandex have disclosed these tracking capabilities to either the websites hosting the trackers or the end users who visit those sites. Information from developer forums suggests that Meta and Yandex may not have conveyed this behavior to site developers integrating their tracking solutions. In fact, many website operators using Meta Pixel were caught off guard when the script began connecting to local ports, as several forum threads suggest. Until Google’s and other major browser responses, the only way to prevent these abuses is to avoid downloading apps like Facebook or Instagram, and the aforementioned Yandex apps.

Gunes Acar, Assistant Professor at Radboud University, who co-led the investigation and made the initial discovery, highlights: “Not only did Meta fail to inform website owners about this tracking method, it also ignored their complaints and questions.” He concludes, “This kind of cross-platform tracking is unprecedented – and it’s especially surprising coming from two companies that serve billions of users worldwide”. Talking about protections deployed thanks to their disclosures, “we were glad to see browser developers including Chrome and DuckDuckGo has already shipped fixes thanks to our disclosures”.