Meta caught the abuse of Android for user clipping
Meta and Yandex have secretly used a tracking method that Android users can identify despite data protection measures. The technology is bypassed browser protection functions and links website visits to app identities.
Facebook mother group without scruples
Millions of Android users may have been monitored for years without their knowledge. Security researchers have uncovered that Meta and the Russian Internet Group Yandex have used a sophisticated tracking method to avoid the privacy of Android users and to dean their web activities. The tracking codes, which are contained in the widespread meta pixel and Yandex Metrica scripts, abuse legitimate internet protocols to get web browsers secretly sending clear identifiers to native apps that are installed on the device.
This technique made it possible to convert meta and yandex to convert short-lived web identifiers into permanent mobile app identities. The special thing about this method: It works even if users use incognito mode, delete cookies or take other data protection measures. The technology bypasses basic security and data protection functions of both the Android operating system and the browser. Loud Local measurement (via Ars Technica), which has examined this technology in detail, communicate the tracking scripts via special ports with native apps such as Facebook, Instagram or various Yandex applications.
Local host connections as a weak point
The core of the problem lies in the way Android deals with so-called local hosts. These allow apps to listen to certain local ports without the need for a user permit. At META, the process works as follows: If a user has installed Facebook or Instagram on his Android device and then visits a website with the meta pixel, the script sends the so-called “_FBP” cookie to the app via WebRTC. This then links the cookie with the user identity and sends this information to meta server.
Yandex uses a similar but technically slightly different method that has been in use since 2017. The Yandex apps receive data from websites with the Yandex Metrica script and link them to device-specific identifiers such as the Android Advertising ID (AAID). While META relies on WebRTC connections, Yandex uses more direct communication via HTTP requests to local ports.
Millions of websites affected
The effects of this tracking method are considerable. Meta Pixel is embedded on over 5.8 million websites, while Yandex Metrica is present on almost three million websites. During an examination of the top 100,000 websites, the researchers found that Meta Pixel was active on over 15,000 websites and collected data in more than 75 percent of cases without explicit user consent. It is particularly worrying that neither Meta nor Yandex have publicly documented this tracking method.
Side operators who use these scripts were not aware of the background functions. Since September 2024, developer forums have been surprised at the mysterious localhost compounds of the Meta Pixel. Many developers reported unexpected network connections that built up their websites to local IP addresses without understanding why this was done.
Google and browser react
After the security researcher has been uncovered, Google explained that this behavior violates the terms of use of the Play Store and the data protection expectations of Android users. “The developers in this report use functions that are available in many browsers under iOS and Android in an unintentional way that clearly violates our security and data protection principles,” said a Google representative. Meta paused the function in response to the revelations. “We are in conversations with Google to clarify a possible misunderstanding regarding the application of their guidelines,” said a meta spokesman. “After knowing the concerns, we decided to pause the function while we are working with Google to solve the problem.” Yandex has also explained to stop the practice and is also in contact with Google.
The company emphasized: “Yandex strictly adheres to data protection standards and does not dean -deanonymous data. The function in question does not collect any sensitive information and only serve to improve personalization within our apps.” Various browsers have already taken measures to block this type of tracking. Duckduckgo and Brave are already blocking most of the domains affected.
Chrome introduced a weakening in a beta version of May 2025, which blocks the type of SDP unit used by Meta Pixel. Firefox developer Mozilla is also working on solutions or countermeasures. However, the researchers warn that the current fixes are so specific for the code in the meta and yandex trackers that they could easily be avoided with a simple update. A more comprehensive solution would require Android to revise the way it handles access to local ports.
