Security researchers have discovered a tracking method used by Meta and Yandex that can de-anonymize billions of Android users even when browsing in Incognito Mode.
The research, conducted jointly by IMDEA Networks in Madrid, Radboud University in the Netherlands, and the University of Leuven in Belgium, describes how the two tech giants' Android apps secretly monitor web activity using “localhost” connections—direct communication paths within a device that bypass standard browser and Android security protections.
The researchers found that native Android apps, including Facebook, Instagram, and Yandex apps like Maps and Browser, silently listen on fixed local ports for tracking purposes.
When Android users visit websites with embedded Meta Pixel or Yandex Metrica scripts, the trackers transmit data to local apps on the same device via localhost sockets. The apps, already running in the background, receive browsing data and link it to the user's identity, sidestepping Incognito Mode, cookie deletion, and Android permissions.
Meta's trackers, for example, used WebRTC to send data through UDP ports 12580–12585. Yandex has been using similar ports (29009, 29010, 30102, and 30103) since 2017. The data exchange was further hid through techniques like “SDP Minging,” which buries tracking information deep within network messages, making it invisible to standard inspection tools.
Researchers warned that this method doesn’t just compromise privacy; it also creates a new attack surface. “Any app with internet permissions could potentially eavesdrop on these transmissions,” they noted.
Most major browsers, including Chrome, Firefox, and Edge, were found to be vulnerable. Brave was found unaffected, due to its blocklist and rejection of localhost requests. DuckDuckGo was “minimally affected” due to gaps in its blocking database.
Meta and Yandex failed to disclose this tracking practice in public documentation. In many cases, the tracking began even before users had a chance to opt in or out via cookie consent banners.
Following the publication of the findings, researchers observed that Meta quietly halted the data transmission and removed portions of the offending code.
The researchers said they found no evidence that the exploit was working in iOS browsers and apps, however, they cautioned that this can be technically possible as iOS browsers are based on WebKit and allow developers to establish localhost connections and apps can listen on local ports.
“It is possible that technical and policy restrictions for running native apps in the background may explain why iOS users were not targeted by these trackers. We note, however, that our iOS analysis is still preliminary and this behavior might have also violated PlayStore policies. Beyond mobile platforms, web-to-native ID bridging could also pose a threat on desktop OSes and smart TV platforms, but we have not yet investigated these platforms,” the researchers noted.
