Meta and Yandex accused of tracking Android users — even in Incognito mode

Applications by Meta (Facebook, Instagram) and Russia’s Yandex have come under fire after researchers discovered they bypassed Android’s privacy protections to track user activity — even without permissions and during private browsing. The revelation has triggered formal investigations by Google and Mozilla.

How the tracking worked

Android is designed to isolate apps from each other using a sandbox model, which should prevent unauthorized access to user data. But researchers from Radboud University (Netherlands) and IMDEA Networks (Spain) discovered that Meta and Yandex exploited a hidden internal communication channel between apps and websites.

When a user visited a site that included Meta Pixel or Yandex Metrica tracking code, the browser initiated a “localhost” connection to the app installed on the device. This allowed the app to silently collect information about the user’s web activity — even when the browser was in Incognito mode or when a VPN was active.

Who was affected?

According to El País, the issue affects millions of Android devices worldwide. Simply having Facebook, Messenger, Instagram, or a Yandex app installed enabled this form of surveillance whenever users visited a tracked website.

Critically, the method didn’t require explicit user consent. Since the data transfer happened locally, Android’s permission system didn’t detect or flag it.

Industry response

After the findings were made public, both Meta and Yandex said they suspended use of the technique. Meanwhile, Google and Mozilla launched their own investigations, citing potential violations of privacy policies and user agreements. Google confirmed it’s working on closing the loophole at the system level, while Mozilla pledged updates to Firefox to block the exploit.

What can users do?

Security experts say traditional protections like ad blockers and VPNs are ineffective against this type of internal traffic.