June 2025 – In a startling revelation for Android users and privacy advocates alike, researchers have uncovered a new tracking technique employed by both Meta and Yandex that sidesteps traditional browser privacy protections.
The technique, dubbed “LocalMass” by the team that discovered it, exploits localhost sockets on Android devices to covertly connect browser activity back to native apps like Facebook, Instagram, and Yandex services—even if the user never interacts directly with them.
How It Works
It begins when an Android user opens a native app such as Facebook or Instagram. Once opened, the app starts listening on local UDP and TCP ports. Later, if that same user visits a website in a browser containing the Meta Pixel (commonly used for analytics and advertising), the browser initiates a hidden communication with the native app using a combination of WebRTC and a technique referred to as “SDP munching.”
This method allows the browser to transmit cookie data back to the native Meta app silently. The app then relays this information to a Facebook endpoint, effectively linking the user’s browser activity to their Facebook or Instagram account.
Yandex’s version, using its Yandex Metrica scripts instead of Meta Pixel, follows a similar approach. Both companies’ implementations are almost invisible to standard browser debugging tools like Chrome DevTools, making detection and prevention difficult for average users.
What Makes This So Dangerous
This approach bypasses nearly all existing privacy controls on Android:
- Browser sandboxing
- Web and app permissions
- Incognito modes
- Cookie clearing
- Resetting advertising IDs
None of these mechanisms are effective against LocalMass-style tracking.
Researchers estimate that over 5.8 million websites include Meta Pixel, while nearly 3 million websites run Yandex Metrica scripts. This means that even if you’re not using Meta or Yandex apps, simply browsing the web on your Android phone may trigger this tracking mechanism.
A Longstanding Issue?
Interestingly, Yandex appears to have implemented this technique as far back as 2017, while Meta allegedly started using it in late 2024. This timeline might shed new light on the long-standing suspicion that apps like Facebook were “listening” to users—even when they weren’t open.
As one privacy researcher put it, “This isn’t microphone eavesdropping—it’s localhost eavesdropping.”
Takeaway: What Can Users Do?
Unfortunately, traditional privacy tools and behaviors (like clearing cookies or browsing in Incognito) do not protect against this type of tracking. Until Android implements stricter controls on localhost access, users may want to:
- Limit use of native apps from known data aggregators
- Use hardened browsers like Firefox Focus or Brave (though full protection is not guaranteed)
- Monitor for developments in privacy tools and Android updates
For now, this discovery serves as a stark reminder that privacy controls need to evolve as fast as tracking techniques—and that users should never assume their browser activity is siloed from their apps.