They discovered that native Android apps, including Facebook, Instagram, and several Yandex apps such as Maps, Navi, Browser, and Search, silently listen on fixed local ports of mobile devices to de-anonymize users' browsing habits without their consent.

By embedding tracking code in millions of websites, Meta's Pixel and Yandex Metrica have been able to map the browsing habits of Android users to their persistent identities (i.e., while the account holder is logged in). This method bypasses the privacy protections offered by Android's permission controls and even Incognito mode, affecting major Android browsers. The international research team has informed several browser vendors of the issue, and they are actively working on measures to limit this type of abuse. For example, Chrome's mitigation is expected to be implemented very soon.

These tracking companies have been engaging in this evasion for a long time: since 2017 in the case of Yandex, and since September 2024 in the case of Meta. The number of people affected by this abuse is high, given that Meta Pixel and Yandex Metrica are estimated to be installed on 5.8 million and 3 million websites, respectively. It is also worth noting that evidence of this tracking practice has only been observed on Android.

The MetaPixel and Yandex Metrica procedure:
Under the Android operating system's permissions model, any application that declares the INTERNET permission can easily create and run a local web server in the background within the application, using TCP (HTTP) or UDP (WebRTC) sockets. In the web context, most modern browsers offer programmatic support with JavaScript code to send HTTP requests or WebSocket messages to the local host (127.0.0.1) or a WebRTC API to send messages to a listening server.

“What’s interesting here is where the connection occurs and how it allows these trackers to deanonymize users’ mobile web traffic. In the case of Meta’s Pixel, it uses local channels to share browser identifiers via WebRTC with its native apps, such as Facebook or Instagram. The data is linked to the logged-in user’s account, and the app silently relays it to Meta’s servers. Yandex takes a more passive, but equally invasive, approach: its AppMetrica SDK, integrated into Yandex apps, listens on local ports, captures incoming web tracking data, aggregates it with mobile-level identifiers, such as the Android advertising ID, and sends the enriched profile to the Yandex Pixel embedded in the website,” explains Aniketh Girish, a PhD student at IMDEA Networks and one of the researchers involved in this work. “Despite using different tactics, both trackers achieve the same result: seamlessly linking mobile and web identities without the user having to register ,” she adds.

Speaking about Yandex Metrica, PhD student Nipuna Weerasekara, another researcher involved in this study, is clear: “What surprised me most was the dynamic nature of Yandex apps using the AppMetrica SDK. Yandex implements this tracking method similarly to malware command and control nodes, retrieving listening port configurations and startup delays from Yandex servers at runtime. We observed that these apps wait up to three days after installation before activating their local host listeners. Our hypothesis is that this is an intentional delay to evade investigations. This design allows Yandex apps to adapt instantly and potentially evade browser-level mitigations in Google Chrome, such as static local port blocking. By simply rotating ports on the server, these apps can maintain a persistent web-to-app data channel despite countermeasures.”.

Preventing Abuse:
For Narseo Vallina-Rodríguez, associate research professor at IMDEA Networks and leader of the research group, the solution to preventing this type of abuse is for mobile platforms and browsers to review how they manage access to local ports. “The fundamental problem that enables this attack is the lack of control over local host communications on most modern platforms. Until our disclosure, Android users targeted by Yandex and Meta Pixel were completely defenseless against this tracking method. It is possible that most browser manufacturers and platform operators did not even consider this abuse in their threat models.” However, it adds, “therefore, technical mitigations should not disrupt legitimate uses of local host sockets, such as anti-fraud or authentication methods. Any technical solutions, such as new sandboxing principles and stricter testing models, must be complemented by stricter platform policies and store verification processes to limit abuse and thus deter other tracking services from using similar methods in the future.”
Currently, there is no evidence that Meta or Yandex disclosed these tracking capabilities to either the websites hosting the trackers or the end users visiting them. Information from developer forums suggests that Meta and Yandex may not have communicated this behavior to developers of websites integrating their tracking solutions. In fact, many website operators using Meta Pixel were surprised when the script began connecting to local ports, as several forum threads suggest. Until Google and other major browsers respond, the only way to prevent these abuses is to avoid downloading apps like Facebook or Instagram, and the Yandex apps mentioned earlier.
Gunes Acar, an adjunct professor at Radboud University who co-led the research and made the initial discovery, emphasizes: “Meta not only failed to inform website owners about this tracking method, but also ignored their complaints and questions.” He concludes: “This type of cross-platform tracking is unprecedented, and it’s especially shocking coming from two companies that serve billions of users worldwide.” Regarding the protections implemented as a result of their disclosures, “We are pleased to see that browser developers, such as Chrome and DuckDuckGo, have already released fixes thanks to our findings.”