Facebook, Yandex app secretly tracks users through hidden ports, research claims

Facebook and Instagram apps have been listening secretly on hidden network ports to track Android users’ web browsing, according to new research from the IMDEA Networks Institute.

The tracking system bypasses Android’s privacy controls, even when it works in invisible mode and affects millions of websites with meta tracking codes. Since 2017, Russian tech giant Yandex has used a similar approach to create an unprecedented cross-platform inspection network that connects users’ mobile identities to web browsing habits between billions of devices around the world.

Hidden localhost backdoor

Tracking works by leveraging lesser-known features of the Android license system. When a user installs Facebook or Instagram, these applications quietly create background services that listen on specific network ports, such as being tuned to capture data from a web browser on the same device.

The monitoring method is as follows: When an Android user visits a website containing Meta tracking Pixel, the JavaScript code silently sends its browsing cookies to any Facebook or Instagram application running in the background via Localhost Connections. These applications then link this web activity to the user’s login account and then pass the rich data to Meta’s server.

“What’s interesting here is where bridging happens and how to make these trackers slow down the user’s mobile network traffic,” explains Aniketh Girish, a PhD student at IMDEA Networks. “For Meta’s pixels, it uses the Localhost channel to share browser identifiers with their native apps such as Facebook or Instagram via WEBRTC, where data is linked to the user’s logged account and quietly transfers to Meta’s servers through the app.”

Yandex’s more complex approach

Yandex takes a more invasive approach. The Russian company’s application, including maps, navigators, browsers, and searches, was studied, and the researchers described it as a “command and control” system similar to malware behavior.

“What surprised me the most was the dynamic nature of Yandex applications using the AppMetrica SDK,” noted Nipuna Weerasekara, another researcher on the team. “Yandex implements this tracking method in a way similar to command and control nodes in malware, retrieving listening port configurations and startup delays from Yandex servers at runtime.”

The Yandex application waits for up to three days after installation and then activates its tracking feature – delaying researchers believe it intentionally evades detection.

Monitoring ratio

The scope of this tracking is shocking. Meta’s pixels appear on about 5.8 million websites, while Yandex Metrica embeds about 3 million websites. This means tracking could affect the billions of Android users who visit these sites.

When the researchers tested the top 100,000 websites, they found that about 78% of websites with meta pixels tried Localhost communication without explicit user consent. For Yandex, that number is even higher, at 84%.

What makes the situation different

Unlike traditional network tracking that browsers can block, this method runs at the operating system level. Regardless of whether the user is valid or not:

• Clear their cookies or browse data
• Use Invisible or Private Browsing Mode
• Not logged in to Facebook or Instagram in your browser
• Location tracking or other privacy settings disabled

The tracking beats Android’s built-in privacy protections because it doesn’t rely on traditional web cookies or browser storage that users can control.

Risk of malicious application

Perhaps most worrying is that the technology opens the door to potentially malicious applications to eavesdrop on users’ full browsing history. Researchers have developed a proof of concept application that demonstrates how any malicious application can listen on the same port and gain users’ website access in real time.

Since Yandex uses unencrypted HTTP requests (unlike Meta’s more complex WEBRTC approach), any application listening on the desired port can monitor the websites the user visits – creating a complete browsing history that can access third-party applications.

Website owner stays in the dark

There is evidence that many website operators integrating these tracking tools have no knowledge of Localhost communications. The developer forum shows that confusing website owners question why the Meta’s pixels are connected to the local port, and the complaints date back to September 2024.

“However, there is no endorsement at all. My support request for them was responded to a general response and then ignored it,” one developer noted in the forum post.

Neither Meta nor Yandex seems to have documented these tracking features in their official developer documentation.

Browser vendors strike back

Major browser manufacturers are implementing countermeasures following the researchers’ disclosure. Chrome version 137 was released in late May 2025 and includes specific protections for these tracking methods. The browser now blocks abused ports and disables SDP bounce technology for hidden data transfers.

Other browsers also follow suits, although the fix only addresses the current implementation. As research leader Narseo Vallina-Rodriguez pointed out: “The fundamental problem in implementing this attack is the lack of control over localhost communications on most modern platforms.”

Interestingly, Meta’s tracking suddenly stopped on June 3, which was the same day’s research. “We don’t know why Facebook stopped using this technology on the day of public release, but we’re happy to see Android users no longer be affected by this type of abuse after our disclosure,” the researchers noted.

A broader platform issue

The study highlights how mobile platforms deal with the basic security gap in Local-Host communications. As Vallina-Rodriguez explains: “Technical mitigation should not undermine the legal usage of localhost sockets such as anti-fraud or authentication methods, so it is necessary to supplement any technical solutions, such as the new sandboxing principle, as well as any technical solutions that limit abuse using stricter platform strategies and the process of storing veterinarians.”

The only complete protection for Android users before platform-level fixes arrive is to avoid Facebook, Instagram and affected Yandex apps, which is a huge step highlighting how this tracking technology can undermine user choice and consent in the digital ecosystem.