You thought incognito mode kept your browsing private. You trusted your VPN to shield your online activity. But if you had Facebook or Instagram installed on your Android phone, Meta was watching anyway.
Security researchers revealed in a June 3 expose that Meta and Russian search giant Yandex had been exploiting a little-known Android loophole to track users’ web browsing without consent, tying searches, purchases, and other online behavior directly to their real identities. The tracking worked even when users took standard privacy precautions, and most people never knew it was happening.
Meta shut down the feature on June 3, just as the research was about to go public. The timing wasn’t coincidental. Within hours of the disclosure, researchers watched Meta’s tracking code disappear from websites worldwide.
“Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue,” a Meta spokesperson told The Register, describing the situation as a “potential miscommunication” about Google Play policies.
The company called Meta’s methods a “blatant violation” of its privacy principles and moved quickly to implement technical safeguards. Chrome 137, which began rolling out on May 26, includes countermeasures designed to block the specific technique Meta was using, though the protections are still being tested with a limited group of users.
The discovery came from an international team of computer scientists at IMDEA Networks in Spain, Radboud University in the Netherlands, and KU Leuven in Belgium. They documented how Meta and Yandex turned Android’s own architecture against its users.
Here’s how it worked
When you installed Facebook, Instagram, or certain Yandex apps, they quietly opened a local port on your phone. Think of it as a private back channel that runs entirely within your device. Android doesn’t require apps to ask for this permission, and most users have no idea it’s even possible.
Meanwhile, millions of websites had Meta Pixel or Yandex Metrica tracking scripts embedded in their code. These are tools that website owners use to measure traffic and conversions. But Meta and Yandex found a way to make them do something else entirely.
When you visit one of these websites in your Android browser, the tracking script sends a hidden message over your phone’s internal network to the Meta or Yandex app running in the background. The app would receive detailed information about what you were looking at, what you clicked, and what you bought, and then link it all to your account using your login credentials or Android advertising ID.
It didn’t matter if you were browsing in incognito mode. It didn’t matter if you’d cleared your cookies or were routing your traffic through a VPN. As long as the app was installed and running in the background, the tracking continued.
Meta started doing this in September 2024. Yandex had been at it since 2017.
The scale is staggering. Meta Pixel appears on roughly 5.8 million websites. Yandex Metrica is embedded in about 3 million more. That’s billions of potential tracking points across the internet, all feeding data back to apps on users’ phones without their knowledge.
“This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode, and Android’s permission controls,” wrote Günes Acar in a TechRepublic article, an assistant professor at Radboud University who helped lead the research. “Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.”
The technique only worked on Android. Apple’s iOS has stricter controls on localhost communications, making a similar exploit more difficult to pull off. But the researchers cautioned that it’s not impossible, and other companies could be doing something similar without detection.
Yandex issued a statement saying it was discontinuing the practice and that the feature “does not collect any sensitive information and is solely intended to improve personalization within our apps.” The company maintained it never de-anonymized user data, though the research suggests otherwise.
Browser makers are scrambling to add protections. DuckDuckGo updated its blocklists to stop Yandex’s scripts. Brave already required user consent for localhost access, so it wasn’t affected. Firefox is still developing a fix.
But the researchers warn that these are just patches. A few tweaks to the tracking code could circumvent them. The real solution requires Android to fundamentally change how it handles localhost communications and require explicit user permission for apps that want to use them.
“The correct way of blocking this persistently is by constraining this kind of access at the mobile platform and browser level,” said Narseo Vallina-Rodriguez, as reported by TechTimes, an associate professor at IMDEA Networks.
For now, privacy advocates say the best protection is simple: be careful about which apps you install. Every app on your phone is a potential window into your online life, even when you think that window is closed.
The discovery highlights an uncomfortable truth about digital privacy. As users become more sophisticated about protecting themselves, tech companies are finding increasingly creative ways to track them anyway. And often, the only way we find out is when researchers stumble upon the methods years after they’ve been deployed.
Timeline of Events
2017 – Yandex begins using localhost tracking method via Yandex Metrica, affecting apps including Yandex Search, Browser, Navigator, and Maps
September 2024 – Meta implements a similar tracking technique through Meta Pixel, working in conjunction with Facebook and Instagram apps
May 26, 2025 – Google releases Chrome 137 with initial countermeasures against the tracking technique, though only to a limited test group
June 3, 2025 – An international research team from IMDEA Networks, Radboud University, and KU Leuven publicly discloses the “Local Mess” tracking method
June 3, 2025 – Meta halts the tracking feature within hours of disclosure; researchers observe Meta Pixel scripts stop sending localhost requests
June 3, 2025 – Google confirms the technique violates Play Store policies and Android privacy principles
June 5, 2025 – Yandex announces it’s discontinuing the practice, claiming it was only intended for app personalization
June 2025-ongoing – Browser vendors, including Firefox, DuckDuckGo, and Brave, implement or strengthen protections; Google continues Chrome rollout of countermeasures