Overview

• An international team led by Radboud University, IMDEA Networks Institute and KU Leuven found Meta Pixel and Yandex Metrica using native Android apps to listen on local ports and deanonymize browsing even in incognito mode or over VPNs.
• Yandex has operated this hidden tracking method since 2017, while Meta began deploying its version in September 2024 through Facebook and Instagram apps.
• The trackers, embedded on an estimated 5.8 million and 3 million websites respectively, harvested detailed user actions—searches, purchases and registrations—and linked them to logged-in accounts.
• Meta paused the localhost-based feature in early June after global media inquiries prompted talks with Google over potential policy violations, according to a company spokesperson.
• Browser vendors have responded with technical fixes: Google pushed Chrome updates to block unauthorized localhost requests and Mozilla is developing a similar safeguard for Firefox on Android.