- Meta and Yandex were spotted using secret monitoring techniques
- The techniques have violated Google Play policies
- The code was mysteriously deleted after being reported by the researchers
Meta and Yandex have been accused of dodging privacy protection requirements by associating users with their web browsing activity and their cookies via Android native applications using Meta Pixel and Yandex Metrica trackers.
The method involved collecting data via the Localhost function integrated into many native Android applications that are used for test purposes.
After the publication of research by computer scientists at Imdea Networks, Radboud University and Ku Leuven, the script associated with data extraction and user monitoring was deleted.
Secret monitoring in Android applications and browsers
More specifically, the follow -up was spotted on Meta’s Facebook and Instagram applications, as well as on the cards and the Yandex browser.
Applications use Localhost, which allows a device to send a network request, as part of its ability to associate navigation data with user identities.
In the words of the researcher, “these native Android applications receive metadata, cookies and commands from Meta Pixel and Yandex Metrica browsers integrated on thousands of websites. These javascripts take care of user mobile browsers and connect silently with native applications operating on the same device via local sockets. ”
What Meta and Yandex have mainly done is to create a crack in Android sandbox environments through which they can extract the data and cookies from the website, bypassing integrated safety and privacy protections, then associating data with user’s device identifiers such as their identity in a META application, or the Android advertising ID of the user.
When he surveyed on the secret monitoring method by The registerA Meta spokesman said: “We are in discussion with Google to respond to bad potential communication concerning the application of their policies. By becoming aware of the concerns, we decided to suspend the functionality while we work with Google to solve the problem.”
According to researchers, Yandex has used this secret monitoring method since 2017, while Meta started in September 2024.
Web browsers based on Firefox and Chrome were the main target of web data extraction, with META and Yandex capable of extracting cookies which should be otherwise inaccessible due to the compensation of cookies, incognito navigation and the authorization system for applying Android.
A Google representative said Ars Technica“The developers of this report use capacities present in many browsers through iOS and Android in an involuntary manner which obviously violates our principles of security and confidentiality,” said the representative, in reference to the developers who built the code behind Meta Pixel and Yandex Metrica. “We have already implemented changes to mitigate these invasive techniques and has opened our own investigation and we are directly in contact with the parties.”
