Meta Accused Of Tracking Android Users & Bypassing Security

A global team of cybersecurity researchers has exposed a covert tracking technique used by Meta and Russian tech firm Yandex that enabled both companies to de-anonymize Android users by exploiting localhost connections within mobile devices.

The researchers found that apps such as Facebook, Instagram, and several Yandex services silently listened on fixed local ports. When users visited websites embedded with Meta Pixel or Yandex Metrica tracking scripts, those scripts communicated directly with the apps through the device’s localhost interface.

This interaction allowed the apps to connect browsing data, including cookies and metadata, to the user’s identity, even while using Incognito Mode or a VPN. The method bypassed Android’s permission system and browser-level privacy protections. Standard web technologies like WebRTC and WebSockets, typically used for legitimate purposes, facilitated the process.

Industry Reacts to Tracking Android Users

Following the disclosure, Meta paused the functionality of its Pixel script that enabled the tracking. A company spokesperson stated that Meta is working with Google to resolve any potential policy violations and that the feature will remain disabled during the review.

Google responded by confirming that the behavior violated the Play Store’s terms of service and Android users’ privacy expectations. The tech giant has made backend changes to block similar tracking methods and has launched its investigation.

Mozilla, the developer behind the Firefox browser, is also preparing technical defenses against such tracking tactics and reiterated its commitment to protecting user privacy.

Widespread Risk from Tracking Android Users

Researchers reported that Meta and Yandex have used this localhost-based tracking method since at least September 2024 and 2017, respectively. Given that Meta Pixel and Yandex Metrica are embedded in millions of websites globally, the scale of potential data exposure is extensive.

The team notified several major browser vendors, who are now actively working on mitigations to block these types of tracking behaviors.

The Need for Stronger Privacy Protections

The revelation has sparked serious concern about how far tech companies will go to gather user data. By exploiting loopholes that bypass platform-level safeguards, these practices undermine user trust and the integrity of mobile security systems.

Privacy experts are calling for stricter regulation, greater transparency, and stronger enforcement mechanisms to ensure that digital platforms respect user privacy and do not resort to stealth tracking techniques.