Do you think you’re safe online by enabling your browser’s incognito mode? If you’re using Android, think again, because Meta and Yandex can see you just fine.
Meta Is Injecting Trackers in Millions of Websites
Meta is using a newly discovered tracking method that makes use of its native apps, like Instagram and Facebook, to track you online. This technique, discovered by an international team of researchers from Radboud University and IMDEA Networks, works even when you:
Atechnical reporton the method claims that “these practices may be implemented in websites without explicit and appropriate cookie consent forms.” This means that if a site you’re visiting loads the tracker script before you’ve given consent to appropriate cookies, the tracking will still happen.
This tracking method works via a script called Meta Pixel embedded into millions of websites that communicate with apps on your phone. To link your mobile browsing sessions and web cookies with device identifiers, the script passes them to the installed apps.
They can then link the received data to your logged-in account on the Facebook or Instagram app to track you on the internet.Android apps track youalready, but this type of browser to native app tracking hasn’t been seen before.
The purpose of the tracking is to give advertisers an idea of how effective their ad campaigns have been. Meta has been doing this since at least September 2024, but Russian search giant Yandex has been employing a similar tactic with its own apps and script (called Yandex Metrica) since 2017. However, the Meta Pixel script has stopped working since June 3, with almost all of its underlying code removed.
The Meta Pixel and Yandex Metrica scripts are estimated to be installed on 5.8 million and 3 million sites, respectively. The scripts also only appear to be targeting Android users by misusing various legitimate internet protocols and Android’s ability to let websites communicate with installed apps. While the attack hasn’t been observed on iOS yet, the researchers note that similar data sharing between iOS browsers and native apps is “technically possible.”
How to Prevent Being Tracked
The issue affects Chrome and, by extension, Chromium-based browsers, so the easiest way to avoid being tracked is to simply switch to more security-focused browsers like DuckDuckGo or Brave. However, with the Meta script going offline, you’re safe—unless you have any Yandex apps installed on your phone and use their services.
The Pros and Cons of DuckDuckGo’s Privacy-Friendly Desktop Browser
The privacy-conscious search engine has launched a new browser, but can you trust it to look after your data? Is it really private?
Another solution would be to uninstall the apps from your phone. However, with Facebook and Instagram being two of the most popular social media platforms, not having the native app restricts your user experience a lot.
Google is aware of the issue and ideally, should improve the way Android handles local port access and the data exchange between web browsers and native apps. That said, there’s no word from Google on whether it’ll change this behavior or Android, so uninstalling Meta and Yandex apps from your phone remains the safest course of action.
