Two of the world’s biggest tech firms have been quietly collecting private browsing data from Android phone users, according to researchers.
Meta, which owns Facebook and Instagram, and Russian company Yandex were able to link users’ web activity to their personal app accounts. They did this without asking for permission or alerting users in any way.
The method bypassed both Android’s privacy settings and the protections offered by web browsers.
It relied on tracking scripts built into millions of websites.
These scripts communicated directly with the company’s apps installed on the same device. The apps, in turn, captured identifiers used in the browser and sent them back to company servers.
This allowed Meta and Yandex to match anonymous browsing activity with specific individuals.
The system worked even when people used Incognito or private browsing mode.
How it worked
The technique made use of something called localhost communication. It’s a feature of Android that allows apps to create quiet, hidden channels within a device.
When users visited a website that included Meta or Yandex trackers, those trackers tried to connect to a specific address on the phone itself. If the Facebook, Instagram, or Yandex app was installed, it responded to the request in the background.
It then collected a unique code that could identify the user and linked it to their app session.
That code was sent back to company servers, linking a person’s web browsing to their app profile.
Researchers found that the Meta system was built into the company’s software development kit, or SDK, which is used by millions of websites and apps. Yandex had created a similar setup through its own AppMetrica tracking system.
Scale and duration
The tracking appears to have gone on for years.
Yandex began using the method in 2017, while Meta only added it more recently, in 2024.
Researchers believe that millions of Android users have been affected.
They found that Meta’s tracking code was present on more than 5 million websites. Yandex’s was found on around 3 million.
Both companies were able to use this system to learn about what people were reading, what products they looked at, and which websites they visited — all linked to their names, emails, and app data.
No warning was shown to users. No permission was requested. And nothing was visible on the screen.
What’s been done
The findings were shared with Google and browser developers earlier this year.
Google has made changes to Android to reduce the risk. Some browsers have also released updates to stop websites from contacting these hidden app services.
But the fixes are not complete. Meta has already changed its system to use different ports and protocols in response. Yandex apps also delay the tracking for several days, which makes it harder to detect.
Security experts say this behaviour resembles tactics used by malware, where systems try to avoid being spotted by automated tests.
The researchers who uncovered the practice say it raises serious concerns about how app platforms handle privacy and user control.
Lack of transparency
None of the websites using the trackers appear to have known how the system worked.
Some developers have reported strange behaviour from the Meta Pixel. This included unexplained attempts to connect to local addresses when users visited their sites.
In most cases, developers were unaware that their websites could be used in this way to connect a visitor’s browsing history to their Facebook or Instagram account.
There was no public explanation from either company about how the system operated until after the research was published.
What users can do
At the moment, only Android devices are known to be affected. However as per researchers, "Android users are no longer affected by this type of abuse after [their] disclosure (for now)."
People who want to avoid this type of tracking are being advised to delete the apps involved.
There is currently no setting inside the apps or the websites that can fully stop the connection from being made.
Further action may depend on decisions by Google and regulators about how much access apps should be allowed on a user’s device — especially when that access is not visible or expected.
Read next:
• Study Shows Meta's Facebook Removes Harmful Content After Most Engagement Has Occurred
• Inside ChatGPT: 11 Lesser-Known Facts That Shape the World’s Most Talked-About AI ChatBot
