Localhost Tracking: Meta and Yandex allegedly spied on Android users covertly

Technology companies Meta and Yandex have reportedly used a previously unknown method for years to covertly track Android users on the web. According to two security analyses, the companies utilized internal communication channels between mobile browsers and installed apps to collect browser data without the users’ explicit consent.

Meta is a U.S.-based technology company known as the parent of Facebook, Instagram, and WhatsApp, and is a leader in social media and online advertising. Yandex is a Russian technology corporation best known for operating the largest search engine in Russia and offering a wide range of services including navigation, advertising, and cloud solutions.

The corporate espionage technique was first published and technically detailed on GitHub under “Covert Web-to-App Tracking via Localhost on Android“. As Cybersecurity News reported, tracking scripts were embedded in millions of websites. These scripts used so-called “localhost” connections – originally intended for internal system use – to transmit information such as cookies, IP addresses, and other identifiers to Facebook, Instagram, or Yandex apps. The method worked even in incognito mode and after browser data had been cleared.

The tracking connected activity on websites with the installed app on the device, enabling comprehensive user profiling. According to IT researchers, Meta continuously developed this method from late 2023 to May 2025. Yandex is believed to have used a similar system for several years already.

After the technical analyses became public, both companies ceased data transmissions in early June. At the same time, browser vendors such as Google (Chrome) and Mozilla (Firefox) released security updates to block the affected ports. Alternative browsers like Brave and DuckDuckGo have also implemented protective measures.

Privacy advocates and IT experts view this practice as a serious circumvention of standard data protection and security technologies. It is considered an example of how technical loopholes in app-browser interaction can be exploited for extensive tracking – without users noticing or being able to prevent it.

Whether legal consequences await the companies remains unclear. Data protection authorities are currently reviewing potential violations of the General Data Protection Regulation (GDPR). Spanish attorney and privacy expert Jorge García Herrero suspects this case could cost Meta billions of dollars in fines.