Researchers Reveal Meta And Yandex Tracked Android Users’ Browsing Identities

Researchers have revealed that Meta and the Russian company Yandex have been using their native Android apps to track users’ browsing data without their consent, bypassing privacy and security protections. Google has stated that it is investigating the abuse.

According to the report, updated on Tuesday and titled “Covert Web-to-App Tracking via Localhost on Android,” Meta and Yandex gained access to users’ browser metadata, commands, and cookies through localhost sockets on their devices.

“We disclose a novel tracking method by Meta and Yandex potentially affecting billions of Android users,” states the document. “We found that native Android apps—including Facebook, Instagram, and several Yandex apps, including Maps and Browser—silently listen on fixed local ports for tracking purposes.”

The tech companies have been taking advantage of the web-to-app ID sharing method—Yandex since 2017, and Meta since September 2024—bypassing protections including incognito mode, Android’s permission controls, and clearing cookies. After the researchers shared the publication, Meta stopped using the tracking method.

According to Ars Technica, Google is investigating the case and said that Meta and Yandex have violated its Play marketplace’s terms of service.

Yandex said the feature considered in the research does not collect users’ personal information and that its only purpose is to provide a more personalized service. The researchers differ and highlight the risks of the used methodology.

“One of the fundamental security principles that exists in the web, as well as the mobile system, is called sandboxing,” said Narseo Vallina-Rodriguez, one of the researchers behind the discovery, in an interview with Ars Technica. “You run everything in a sandbox, and there is no interaction within different elements running on it. What this attack vector allows is to break the sandbox that exists between the mobile context and the web context. The channel that exists allowed the Android system to communicate what happens in the browser with the identity running in the mobile app.”

Researchers noticed the abuse only in Android, but mentioned that it could be implemented on iOS as well.

Other actors have also been targeting Android users. A few days ago, cybersecurity researchers revealed that scammers have been stealing card data through an Android malware called SuperCard X.