How Meta and Yandex collect specific data about your internet habits without your consent

A group of researchers has concluded that the technology companies Meta and Yandex have been tracking users' browsing on Android devices without permission, using the scripts Pixel and Metrica to discover their internet habits and associate them with specific individuals, deanonymizing web traffic.

The tracking method used by Meta and Yandex may have affected "billions" of users by exploiting a vulnerability in native Android apps, such as Facebook and Instagram in Meta's case, and Maps in Yandex's case in the browser.

This is because the technique used allows native applications to receive user browsing information over local connections without their explicit consent , by circumventing privacy mechanisms such as incognito mode, cookie deletion, or even VPN browsing.

In fact, this tracking method can work even if the user isn't logged into Facebook, Instagram, or Yandex on their mobile browsers, as the organization in charge of the research, IMDEA Networks, explained in a GitHub post.

Thus, according to the researchers, the modus operandi is based on native Android applications receiving information about users' internet experience, such as metadata, cookies, and browser commands, from Meta Pixel and Yandex Metrica scripts, which are integrated into thousands of websites.

These scripts load into users' mobile browsers and discreetly connect to native applications running on the same device via local sockets. This is a communication point that allows programs to communicate with each other, both locally and over a network.

Added to all this is the fact that native Android apps have access to device identifiers, such as the Android Advertising ID (AAID), or manage user identities, as is the case with Meta's social networks. Companies can therefore link browsing sessions and the web cookies obtained with user identities.

That is, when a user visits a web page containing the Meta Pixel or Yandex Metrica script from a browser on their Android device, the script sends information about their activity, such as cookies, to native applications on the device.

This process of deanonymizing website visits is possible on Android because its operating system allows any installed application with INTERNET permission to open a listening socket on the loopback interface (127.0.0.1), as well as TCP (HTTP) or UDP (WebRTC) sockets, according to the researchers. Browsers also access this interface without the user's consent.

This allows scripts to communicate with native Android apps and secretly share all sorts of information, resulting in an abuse of user privacy by Meta and Yandex, allowing users' web activity to be linked to their identities.

Specifically, these activities have been identified in a joint investigation by IMDEA Networks ' Internet analytics organization, led by IMDEA Professor Narseo Vallina-Rodríguez, as well as Professor Gunes Acar from Radboud University (Netherlands) and Professor Tim Vlummens from the Catholic University of Leuven (Belgium).

Likewise, based on this analysis of Meta's activity, the technology company has confirmed that the Meta Pixel script has stopped sending packets or requests to the local address in its applications, which translates into the cessation of browsing activity tracking by Facebook's owner.

However, it should be noted that these types of tracking techniques can continue to be used by other companies or malicious actors. Furthermore, they can also lead to the exposure of users' browsing history to third parties.

According to the investigation, the Russian technology company has been using this technique to track users' browsing since 2017. Similarly, in the case of Meta, the company led by Mark Zuckerberg began using this method in September 2024.

Furthermore, according to data from the monitoring website BuiltWith, the Meta Pixel script is installed on more than 5.8 million websites, while Yandex Metrica has identified it on around 3 million websites.

So far, this technique has only been identified in web scripts from Meta and Yandex, targeting Android devices exclusively, although the organization has clarified that a similar data exchange between iOS browsers and native apps cannot be ruled out.

IMDEA Networks has emphasized that this tracking method "exploits unrestricted access to local sockets on Android platforms" without the user being aware of it, as "current privacy controls are insufficient to control and mitigate it."

Therefore, they have shared the need to work on long-term solutions that allow for managing access to local ports, alerting users in the event of attempted access or implementing stricter platform policies accompanied by enforcement measures to prevent misuse.