Data Privacy Breach: Meta and Yandex Found Collecting User Data Through Android Apps

Recent investigations have revealed that technology giants Meta and Yandex have been utilizing dubious methods to monitor the activities of users on their Android applications. Security researchers discovered that tracking pixels were secretly sending personal data from web browsers to the apps and servers of these companies.

According to the findings, both Meta and Yandex have been engaging in this practice for several years. Specifically, Yandex has been exploiting this loophole since 2017, while Meta has been implicated in similar actions since September 2024. The two corporations have taken advantage of various technical features within the Android operating system, circumventing established communication barriers that typically protect user data.

By creating unauthorized data connections between their applications and web browsers on Android devices, these companies were able to uniquely identify users. This tactic is believed to be aimed at selling user data to advertisers, thereby enhancing their advertising profiles.

Researchers from the Netherlands and Spain identified how these companies were conducting their surveillance. They noted that specific 'listening ports' can be opened within applications without requiring special permissions or user consent. For instance, a Meta app could listen on a local address (localhost:12387) for incoming connections even when the app is not actively in use.

When users visit websites that incorporate Meta's tracking pixel, the next phase of data collection is activated. This tracking pixel, typically embedded in web pages to monitor advertising effectiveness, utilizes a method known as 'SDP Munging' to assemble data packets for WebRTC sessions. While WebRTC is generally intended for video conferencing or streaming, it appears to bypass certain security barriers without user notification.

The data packet primarily includes information from tracking cookies that alone do not identify users. However, Meta and Yandex's goal is to use this information for targeted advertising, leading to higher revenue. The Meta app can request the de-anonymization of these cookies using the information acquired from the browser, linking it directly to the user's logged-in Facebook account.

Alarmingly, this method also functions in 'incognito mode', which is designed to prevent such data leaks. Even actions like deleting cookies or browsing history do not mitigate the issue.

Yandex's suite of Android applications, including Maps, Navigator, and Yandex Go, also appears to be involved in this data collection scheme. Six of these apps reportedly listen on local ports, merging browser cookies with the identities of logged-in users. This poses significant risks as malicious applications could potentially intercept browsing habits, especially those involving Yandex's pixels.

Millions of websites are impacted by these tracking pixels. Meta's pixel is present on approximately 5.8 million websites, while Yandex Metrica is found on around 3 million. Many of these sites include popular online retailers and telecom service providers. A study indicated that over seventy percent of the examined European websites established tracking connections without user consent.

It appears that this data collection occurred without the knowledge of website operators. Developers on Meta's forums have expressed confusion over unusual connections to localhost, but Meta has yet to provide a formal response.

In light of these findings, major web browser developers have begun implementing countermeasures. Chrome, for example, has released an updated version that prevents the 'SDP Munging' method used by Meta. Future versions aim to enhance security against unauthorized local network access.

Interestingly, the researchers found no evidence that iOS devices were affected by these practices. However, they acknowledge that the technical capability exists for similar attacks on iOS, although background operation limitations may restrict such activities.

In response to the study's release, Meta ceased sending requests to 'localhost', indicating a potential acknowledgment of the issue. The timing of this change, coinciding with the study's publication, raises questions about the company's previous practices.