How Did Meta and Yandex Secretly Track Billions of Android Users Despite Privacy Controls?

Why Did Android’s Security Fail to Protect Users from Meta’s Dangerous Localhost Tracking Scheme?

Meta and Yandex have been secretly exploiting a critical vulnerability in Android’s security architecture to track billions of users across their web browsing activities. This sophisticated tracking scheme, which operated for years without user knowledge or consent, represents one of the most significant privacy breaches in recent mobile security history.

The Localhost Loophole Exploitation

The tracking method, dubbed “Local Mess” by security researchers, exploited Android’s localhost communication system to create unauthorized bridges between web browsers and native applications. When users visited websites containing Meta Pixel or Yandex Metrica tracking scripts, these scripts silently connected to specific local ports monitored by Facebook, Instagram, and various Yandex applications running on the same device.

This technique bypassed Android’s fundamental sandboxing protections, which are designed to isolate applications and prevent unauthorized data sharing. The exploit worked by having native Android apps listen on fixed local ports (12387, 12388 for Meta; 29009, 29010, 30102, 30103 for Yandex) while tracking scripts embedded in websites sent browsing data directly to these applications.

Key Technical Components

• Meta Pixel integration: Present on approximately 5.8 million websites globally
• Yandex Metrica presence: Found on nearly 3 million websites
• Communication protocols: WebRTC, WebSocket, STUN, and TURN technologies
• Cookie transmission: _fbp cookies containing detailed browsing metadata

Privacy Protections Completely Bypassed

The tracking scheme defeated multiple layers of privacy protection that users rely on for anonymous browsing. This included:

• Incognito Mode: Private browsing sessions were fully tracked despite user expectations of anonymity
• Cookie clearing: Manual deletion of browser cookies provided no protection
• Android permissions: The exploit circumvented the operating system’s permission controls
• VPN protection: Virtual private networks offered no defense against this localhost-based tracking
• Ad blockers: Traditional blocking mechanisms were ineffective against this novel approach

The researchers emphasized that this tracking was “exclusive to Android due to its less restrictive controls on localhost communications compared to iOS”, though similar exploits could potentially be developed for Apple’s platform.

Scale and Timeline of the Breach

Meta’s Implementation:

• Start date: September 2024
• HTTP transmission: September to October 2024
• Advanced protocols: November 2024 through June 2025
• Affected websites: Over 17,000 Meta Pixel sites in the United States alone

Yandex’s Long-Running Operation:

• Start date: February 2017 for HTTP sites, May 2018 for HTTPS
• Duration: Over 8 years of continuous tracking
• Affected applications: Yandex Maps, Browser, Navigator, and Search

The scale of potential impact is staggering, with researchers estimating that billions of Android users may have been affected. Major websites including AP News, Buzzfeed, and The Verge were among those that could have been sending user data back to Meta applications without consent.

Industry Response and Immediate Actions

Following the research disclosure on June 3, 2025, Meta immediately ceased the tracking practice. As of June 3rd, 7:45 CEST, Meta’s Pixel script stopped sending packets to localhost, and the code responsible for transmitting _fbp cookies was almost completely removed.

Browser Vendor Responses:

• Google Chrome: Implemented countermeasures in Chrome 137 (shipped May 26, 2025) through a gated field trial
• Mozilla Firefox: Developing fixes for the vulnerability
• Brave Browser: Already protected users by requiring consent for localhost access
• DuckDuckGo: Modified blocklists to prevent Yandex script execution

Google confirmed the severity of the findings, stating that the developers “blatantly violate our security and privacy principles”. Mozilla similarly characterized these as “severe violations of our anti-tracking policies”.

Legal and Regulatory Implications

The covert tracking practices may violate multiple privacy regulations, particularly the European Union’s General Data Protection Regulation (GDPR), which requires explicit user consent for data collection. The lack of transparency and documentation around these tracking methods compounds potential legal exposure.

Meta’s response suggested ongoing discussions with Google regarding policy interpretations: “We are speaking with Google to clarify a potential misunderstanding about how its policies are applied. As soon as we learned of the concern, we decided to pause the feature while we work with Google to resolve the issue”.

Notably, neither Meta nor Yandex provided public documentation describing these tracking methods or their purposes. When website developers encountered unusual localhost connections, they received minimal support from Meta, with one developer stating: “No acknowledgement has come from Meta at all on this though. My support request with them got a generic response and then ignored thereafter”.

Broader Security Implications

This discovery highlights critical vulnerabilities in Android’s security architecture that could be exploited by malicious applications. The researchers warned that the localhost loophole “opens the door for potentially malicious apps eavesdropping on users’ web activity”.

The tracking method demonstrates how legitimate internet protocols can be repurposed for surveillance, creating what researchers called “a detailed, de-anonymized profile of a user’s browsing history, tied directly to their identity, without their knowledge or consent”.

Future Mitigation Strategies:

• Platform-level restrictions on localhost communications
• Enhanced browser security controls
• Stricter app store policies regarding background services
• Improved user consent mechanisms for cross-application data sharing

The incident serves as a critical reminder that even sophisticated privacy protections can be circumvented through novel technical approaches, emphasizing the need for continuous security research and proactive platform hardening.