In a troubling discovery for privacy advocates, independent researchers have found that major tech companies, including Meta and Yandex, have been secretly using a loophole in Android to track users’ browsing activity — even when those users believe they’re browsing privately.
Bypassing Android’s Privacy Protections
Android relies on a system called sandboxing to keep apps isolated from one another, limiting the ability to share data without explicit permission. However, researchers uncovered a workaround involving localhost connections — internal communication channels within the device. Because Android doesn’t require special permissions for these connections, apps have been able to quietly transfer tracking data, such as cookies, across otherwise sandboxed boundaries.
This method allowed apps like Facebook to link anonymous web activity to specific users, effectively bypassing private browsing protections and undermining user privacy.
Tracking Through Meta Pixel
The core of the technique revolves around the Meta Pixel — a widely-used analytics script embedded in countless websites. By monitoring which sites a user visits that include this pixel, and linking that activity through the _fbp cookie, apps could track user behavior across the web.
Researchers compared the method to email tracking, where invisible images in emails confirm when a message is opened. However, this approach is significantly more sophisticated and difficult to detect. Even after some vulnerabilities were patched, the apps adapted to continue their surveillance efforts.
Companies Under Investigation
Yandex, the Russian search engine giant, is believed to have used this tactic for over eight years. Meta’s use of the method was first spotted in September 2024. Neither company responded to Ars Technica’s request for comment.
In response to the findings, both Google and Mozilla (makers of Chrome and Firefox, respectively) confirmed they are investigating potential violations of their platforms’ terms of service. Both stated that such behavior directly violates user privacy expectations and is not permitted.
Attempt to Cover Tracks?
Interestingly, within hours of the story breaking, researchers noted that the suspicious traffic between Meta Pixel and localhost ports had stopped. In addition, nearly all code referencing the _fbp tracking cookie was removed from the affected apps — a move that strongly suggests an attempt to quietly shut down or hide the tracking mechanism.