- Goal and Yandex were seen using undercover monitoring techniques
- The techniques violated Google Play policies
- The code was mysteriously eliminated after being indicated by researchers
Meta and Yandex have been accused of avoiding privacy protection requirements by associating users with their web and cookies navigation activity through native Android applications using Meta Pixel and Yandex Metric trackers.
The method involved data collection through the localHost function integrated in many native Android applications that are used for test purposes.
After the launch of the research of IMDEA Networks, the University of Radboud and Ku Louven, the script associated with data extraction and user monitoring was eliminated.
Undercover monitoring of Android applications and browsers
Specifically, the follow -up was seen in Facebook and Meta Instagram applications, as well as the Maps and Yandex browser.
Applications use localhost, which allows a device to send a network application, as part of its ability to associate navigation data with user identities.
In the words of the researcher, “these native Android applications receive metadata, cookies and commands of the Meta Pixel and Yandex Metric Scripts integrated into thousands of websites. These Javascripts are loaded in user mobile browsers and connect silently with native applications that are executed in the same device through local plugs.”
What Meta and Yandex have done essentially is to create a crack in the Android Sandbox environments through which data and cookies can extract, ignore the incorporated safety and privacy protections, and then associate the data with the user’s device identifiers, such as their identity within a target app, or the user’s Android advertising ID.
When exploited on the undercover monitoring method by The registrationA Meta spokesman said: “We are in conversations with Google to address a possible lack of communication regarding the application of their policies. By becoming aware of concerns, we decided to stop the function while we work with Google to solve the problem.”
According to researchers, Yandex has been using this undercover monitoring method since 2017, while Meta began in September 2024.
Web browsers based on Firefox and Chromium were the main objective of web data extraction, with goal and Yandex capable of extracting cookies that would otherwise be inaccessible due to cookie cleaning, incognito navigation and the permission system of the Android application.
A Google representative said Ars Technica“The developers in this report are using capacities present in many Navigators in iOS and Android in an unwanted way that shamelessly violate our principles of safety and privacy,” said the representative, referring to developers who built the code behind Meta Pixel and Yandex Metric. “We have already implemented changes to mitigate these invasive techniques and have opened our own research and we are directly in contact with the parties.”
