Android Privacy Under Siege: Facebook, Instagram, and Yandex Caught Secretly Harvesting User Browsing Data via Hidden Backdoors
New research reveals Facebook, Instagram, and Yandex secretly tracked Android users’ web habits, bypassing privacy controls and incognito mode.
- 78% of top sites with Meta Pixel attempt hidden data handoff on Android
- 84% of Yandex-tracked sites use even more aggressive local communication
- 8.8 million+ websites embed Meta or Yandex tracking code globally
- Billions of Android devices at risk of cross-platform surveillance
A bombshell report by the IMDEA Networks Institute has uncovered a sophisticated web of Android surveillance orchestrated by the world’s biggest tech platforms. Facebook and Instagram, owned by Meta, along with Russian giant Yandex, are implicated in covertly tracking billions of Android users—even those operating in incognito mode or with privacy settings enabled.
Beneath the surface, these popular apps have exploited hidden network ports to sweep up web browsing data, linking it to users’ logged-in profiles without their knowledge or consent.
Q&A: What Did Researchers Discover About Android App Tracking?
Instead of relying on easily-deleted browser cookies, Facebook, Instagram, and Yandex took advantage of obscure Android features. When installed, their apps quietly set up background “listeners”—akin to private radios—on the device’s network ports. As unsuspecting users visited millions of websites laced with Meta and Yandex tracking pixels, JavaScript code silently siphoned off user identifiers and cookies, routing the data via localhost connections straight into the apps running quietly in the background.
Meta’s apps used clever WebRTC “SDP munging” tricks to hide this activity, while Yandex’s method was even more brazen, using unencrypted HTTP requests to operate like a malware “command-and-control” system, according to researchers. Yandex apps intentionally waited days after install to activate tracking—likely to dodge detection.
How Many Users and Sites Are Impacted?
The scale is vast: Over 5.8 million websites include Meta’s tracking pixel, and Yandex Metrica is present on 3 million more. Researchers found that on the world’s top 100,000 websites, nearly 8 out of 10 attempted covert localhost communication on Android devices.
As a result, billions of Android users globally could have their private browsing sessions—including activity in incognito or with privacy protections enabled—linked directly to their logged-in app identities.
How Is This Different from Regular Web Tracking?
Traditional ad trackers rely on browser cookies or storage mechanisms users can clear, avoid, or block—especially with privacy-focused browsers like Firefox and Safari. But these Android techniques operate at the operating system level, bypassing browser controls, private browsing, and even location setting restrictions. The surveillance continues even if users aren’t logged into Facebook or Instagram in their browser.
Could This Open the Door for Hackers?
Yes, and here’s the most alarming part: The research team built a proof-of-concept app that could piggyback on this localhost loophole. Any malicious app using Yandex’s method could harvest users’ full browsing history in real time—no user consent needed. The lack of encryption in Yandex’s system makes it even more dangerous.
Did Meta or Yandex Inform Users or Developers?
Most website owners appeared unaware of these secret data handoffs. Public developer forums have long documented confused reports of Meta pixels connecting to local ports, with little to no acknowledgment from either Meta or Yandex in their documentation or support responses.
What Is Being Done to Stop This?
The research went public in early June 2025. Almost instantly, Meta appeared to halt its hidden tracking tactics—Facebook’s covert data collection stopped the very day the scandal broke. In response, Google Chrome (version 137, released May 2025) now blocks the exploited ports and disables the WebRTC tricks. Other browser makers are following suit.
Yet, as IMDEA’s Narseo Vallina-Rodriguez explains, this is only a temporary fix—the root problem is Android’s lack of control over localhost communications. Future platform-level changes and stricter app store policies are needed for lasting user protection.
How Can Android Users Protect Themselves Now?
Until platform-level safeguards arrive, researchers recommend uninstalling Facebook, Instagram, and all affected Yandex apps and using privacy-first browsers. But for many, this is an impractical sacrifice that highlights the degree to which user choice and consent have been bypassed in today’s app ecosystem.
How-To: Defend Your Browsing Privacy on Android
- Remove or disable apps you do not trust, especially Facebook, Instagram, and Yandex-branded apps
- Keep your browser—and your device—updated to the latest version
- Use privacy-focused browsers with strict anti-tracking features
- Monitor developer research, privacy news, and reviews on reputable destinations like Ars Technica and Wired
- Avoid logging into sensitive apps while browsing, or use a dedicated device
Protect Your Data—Stay Informed, Act Now!
- ✔ Update your Android browser (look for Chrome 137 or later)
- ✔ Uninstall suspicious or untrusted apps
- ✔ Switch to privacy-first tools where possible
- ✔ Support independent science reporting so investigations like this continue
