Facebook, Yandex Apps Secretly Track Users Via Hidden Ports, Research Claims

Facebook and Instagram apps have been secretly listening on hidden network ports to track Android users’ web browsing without consent, according to new research from IMDEA Networks Institute.

The tracking system bypasses Android’s privacy controls, works even in incognito mode, and affects millions of websites embedded with Meta’s tracking code. Russian tech giant Yandex has used similar methods since 2017, creating an unprecedented cross-platform surveillance network that links users’ mobile identities to their web browsing habits across billions of devices worldwide.

The Hidden Localhost Backdoor

The tracking works by exploiting a little-known feature of Android’s permission system. When users install Facebook or Instagram, these apps quietly create background services that listen on specific network ports—like secret radio frequencies tuned to capture data from web browsers on the same device.

Here’s how the surveillance unfolds: When Android users visit websites containing Meta’s tracking pixel, JavaScript code silently sends their browsing cookies through localhost connections to any Facebook or Instagram apps running in the background. The apps then link this web activity to users’ logged-in accounts and relay the enriched data to Meta’s servers.

“What’s interesting here is where the bridging happens and how it allows these trackers to de-anonymize users’ mobile web traffic,” explains Aniketh Girish, a PhD student at IMDEA Networks who co-authored the research. “In the case of Meta’s Pixel, it uses localhost channels to share browser identifiers via WebRTC with their native apps like Facebook or Instagram, where the data is linked to the user’s logged-in account and quietly relayed to Meta’s servers by the app.”

Yandex’s More Sophisticated Approach

Yandex takes an even more invasive approach. The Russian company’s apps—including Maps, Navigator, Browser, and Search—implement what researchers describe as a “command-and-control” system that resembles malware behavior.

“What surprised me most was the dynamic nature of Yandex apps using the AppMetrica SDK,” notes PhD student Nipuna Weerasekara, another researcher on the team. “Yandex implements this tracking method in a way that resembles command-and-control nodes in malware, retrieving listening port configurations and start-up delays from Yandex servers at runtime.”

Yandex apps wait up to three days after installation before activating their tracking capabilities—a delay researchers believe is intentional to evade detection.

Scale of the Surveillance

The scope of this tracking is staggering. Meta’s pixel appears on approximately 5.8 million websites, while Yandex Metrica is embedded in around 3 million sites. This means the tracking potentially affects billions of Android users who visit these websites.

In testing across the top 100,000 websites, researchers found that roughly 78% of sites with Meta’s pixel attempted localhost communications without explicit user consent. For Yandex, that figure was even higher at 84%.

What Makes This Different

Unlike traditional web tracking that browsers can block, this method operates at the operating system level. It works regardless of whether users:

• Clear their cookies or browsing data
• Use incognito or private browsing modes
• Aren’t logged into Facebook or Instagram in their browser
• Have disabled location tracking or other privacy settings

The tracking defeats Android’s built-in privacy protections because it doesn’t rely on traditional web cookies or browser storage that users can control.

The Malicious App Risk

Perhaps most concerning, this technique opens the door for potentially malicious apps to eavesdrop on users’ complete browsing histories. The researchers developed a proof-of-concept app demonstrating how any malicious application could listen on the same ports and harvest users’ website visits in real-time.

Since Yandex uses unencrypted HTTP requests (unlike Meta’s more sophisticated WebRTC approach), any app listening on the required ports can monitor which websites users visit—creating a complete browsing history log accessible to third-party apps.

Website Owners Left in the Dark

Evidence suggests that many website operators integrating these tracking tools had no idea about the localhost communications. Developer forums show confused website owners questioning why Meta’s pixel was connecting to local ports, with complaints dating back to September 2024.

One developer noted in forum posts: “No acknowledgement has come from Meta at all on this though. My support request with them got a generic response and then ignored thereafter.”

Neither Meta nor Yandex appears to have documented these tracking capabilities in their official developer documentation.

Browser Vendors Fight Back

Following the researchers’ disclosure, major browser makers are implementing countermeasures. Chrome version 137, released in late May 2025, includes specific protections against these tracking methods. The browser now blocks the abused ports and disables the SDP munging technique Meta used to hide data transfers.

Other browsers are following suit, though the fixes only address the current implementation. As research leader Narseo Vallina-Rodriguez notes: “The fundamental issue enabling this attack is the lack of control over local host communications on most modern platforms.”

Interestingly, Meta’s tracking suddenly stopped on June 3rd—the same day the research went public. “We don’t know why Facebook stopped using this technique on the day of our public release,” the researchers note, “but we’re happy to see that Android users are no longer affected by this type abuse after our disclosure (for now).”

A Broader Platform Problem

The research highlights a fundamental security gap in how mobile platforms handle localhost communications. As Vallina-Rodriguez explains: “Technical mitigations should not disrupt legitimate usages of localhost sockets like anti-fraud or authentication methods, so it is necessary to complement any technical solution such as new sandboxing principles and more testing models with stricter platform policies and store vetting processes to limit abuse.”

Until platform-level fixes arrive, the only complete protection for Android users is avoiding Facebook, Instagram, and the affected Yandex apps altogether—a drastic step that highlights how this tracking technique undermines user choice and consent in the digital ecosystem.