Background information
7 questions and 7 answers on the Meta trial
by Samuel Buchmann
Special tracking technology: Meta and Yandex spy on sensitive user information
5.6.2025
Translation: Elicia Payne
Researchers have found that Meta and Yanex are able to decipher their user’s details. In just one move, they illegally obtain sensitive personal information about millions of Android users. What does that mean for us?
For years, tracking pixels have been a vital tool for advertisers on the internet. Social media services such as the Meta Group also collect data to measure the effectiveness of ads and analyse user behaviour. Meta and the Dutch-Russian service Yandex have now gone one step further. Until now, «pseudonyms» were used for tracking. In other words, a user disclosed their behaviour on the web, but no concrete conclusions could be drawn about their identity.
But Meta and Yandex have found a way to almost completely de-anonymise their users. This affects users of Android devices whose browsers have been technically manipulated to provide information for the companies’ apps, such as Facebook, Instagram or Yandex apps.
What exactly happened?
Researchers from Spain and the Netherlands found that both corporations were using a technology that delved deep into the connection of browsers and apps on Android devices. Yandex has already been using this trick since 2017, whereas Meta began using it in September 2024.
At the centre of it all are tracking pixels – small invisible scripts that are embedded on websites. These were manipulated by the two companies in such a way that they were able to access much more sensitive information via the apps installed on devices.
How exactly does this work?
The foundation for the offensive lies in one of Android’s functions that few people are familiar with. Apps in the background can receive data using local host addresses – i.e. on communication channels that are actually only used internally on the device. These aren’t automatically blocked by security checks, so they don’t require any special authorisation from the device.
Who is affected by this?
What happens now?
Immediately after the study was published, Meta and Yandex discontinued this strategy. Meta announced that it was in talks with Google to clarify «misunderstandings» regarding the platform guidelines. Yandex announced that it would disable it – but emphasised that it hadn’t collected any sensitive data.
However, the researchers have said that you shouldn’t get your hopes up. If Meta and co. change the port – until now it’s always been port 12387 – or use a different protocol, this technology could still be used. It’s down to Android to provide a permanent solution.
What can you and I do?
The most effective protection against this type of tracking currently is to remove the Meta and Yandex apps from your Android device and use the services via the browser, if at all.
Header image: Shutterstock
I've been tinkering with digital networks ever since I found out how to activate both telephone channels on the ISDN card for greater bandwidth. As for the analogue variety, I've been doing that since I learned to talk. Though Winterthur is my adoptive home city, my heart still bleeds red and blue.
Security
Follow topics and stay updated on your areas of interest
Background information
Interesting facts about products, behind-the-scenes looks at manufacturers and deep-dives on interesting people.
Show all
