Billions of Android users may have been unknowingly tracked by Meta and Russian tech giant Yandex via a novel method that monitors fixed local ports on their devices, according to a new academic report.
The technique, uncovered by cybersecurity researcher Günes Acar of Radboud University, allegedly allowed popular apps like Facebook and Instagram to silently listen for hidden tracking data. The situation raises concerns about user privacy and Android’s security architecture.
“This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android’s permission controls,” Acar wrote in a blog post. “Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.”
Meta cookie sharing
The first accusation involves Meta and its use of the Meta Pixel, a piece of JavaScript code generally used by advertisers to track website traffic originating from their Facebook ads. When the Meta Pixel is loaded up within an Android web browser, it automatically sends an _fbp cookie to a specific set of ports.
These ports are actively monitored by several Android apps that are owned and operated by Meta, including Facebook version 515.0.0.23.90 and Instagram version 382.0.0.43.84.
The _fbp cookie contains detailed information on the user’s browsing habits, including the complete page URL, metadata from the website, and information related to page visits, purchases, donations, and additions to online shopping carts. Ultimately, this enables the linking of specific website visits to the user’s personal Facebook or Instagram account.
The Meta Pixel is currently integrated into nearly 6 million websites. Worsening matters, Meta was doing this in a way that Google Chrome’s DevTools could not detect.
According to security researchers, the Meta Pixel “is no longer sending any packets or requests to localhost” following the initial disclosure. Moreover, the snippet of coding that sent the _fbp cookie has “been almost completely removed.”
SEE: Mobile Device Security Policy from TechRepublic Premium
Yandex user tracking
Yandex is a Russian tech company that specializes in multiple areas, including online search, email, translation, and maps. According to the recent disclosure, some apps, including Yandex Search, Yandex Browser, Yandex Navigator, and Yandex Maps, covertly create their own background services to monitor traffic on four ports (29009, 29010, 30102, and 30103).
If a user then visits a website that leverages the Yandex Metrica script, the automated script interacts with the Yandex Metrica SDK to send their encrypted device IDs to Yandex’s own servers. According to researchers, Yandex is currently integrated into nearly 3 million websites.
Potential repercussions
The tracking activities by Meta and Yandex are a violation of modern privacy safeguards, online security controls, and Android’s permission protocol. Not only do they make users vulnerable to internet eavesdropping by the two tech giants, but some users could have their entire browsing history exposed to third-party apps that maliciously choose to monitor ports.
Although Meta has already taken action to rectify the issue, there’s no word on Yandex’s response.
