Meta Found a New Way to Track Android Users Covertly via Facebook & Instagram

A sophisticated tracking method employed by Meta (Facebook) and Yandex that potentially affected billions of Android users through covert web-to-app communications via localhost sockets. 

The technique allowed native Android apps, including Facebook and Instagram, to silently receive browser metadata, cookies, and commands from Meta Pixel scripts embedded on thousands of websites, effectively linking mobile browsing sessions to user identities and bypassing standard privacy protections.

Implementation Via WebRTC and Port Manipulation

GitHub reports that the tracking mechanism exploited Android’s unrestricted access to localhost sockets, with Meta’s approach evolving through several technical iterations. 

Initially using HTTP requests in September 2024, Meta’s system progressed to WebSocket communications before settling on WebRTC STUN with SDP Munging by November 2024. 

The Meta Pixel JavaScript transmitted the first-party _fbp cookie using WebRTC to UDP ports 12580–12585, where Facebook and Instagram apps maintained persistent listeners.

The technical implementation involved SDP Munging, where Meta inserted the _fbp cookie contents into the SDP “ice-ufrag” field, generating Binding Request STUN messages sent to the loopback address 127.0.0.1. 

This data flow remained invisible to standard browser debugging tools like Chrome’s DevTools, making detection challenging for users and security researchers. 

By May 2025, Meta introduced WebRTC TURN communications to ports 12586-12591, avoiding SDP Munging after Chrome developers announced plans to disable the technique.

The tracking method demonstrated unprecedented scope, with Meta Pixel embedded on over 5.8 million websites according to BuiltWith, making the _fbp cookie the third most common first-party cookie across the web. 

Research crawls of the top 100,000 websites revealed Meta Pixel attempting localhost communications on 17,223 sites in the US and 15,677 sites in the EU, with approximately 75-78% of these sites triggering the behavior without explicit user consent.

The system effectively circumvented established privacy protections, including cookie clearing, Incognito Mode, and Android’s permission controls. 

Even users not logged into Facebook or Instagram on their mobile browsers remained vulnerable to tracking through the Android Advertising ID (AAID) bridging mechanism. 

The method worked by linking ephemeral web identifiers to persistent mobile app IDs, allowing Meta to associate different _fbp cookies across websites with the same user account.

Mitigation Efforts

Following responsible disclosure to major browser vendors, several countermeasures entered development and deployment. 

Chrome version 137, released May 26, 2025, implemented protections blocking abused ports and disabling the specific SDP munging techniques used by Meta Pixel. 

Firefox version 139 incorporated similar port-blocking countermeasures, while DuckDuckGo and Brave browsers already maintained blocklist-based protections against localhost communications.

Significantly, Meta discontinued the practice around June 3, 2025, with the Facebook Pixel script no longer sending packets to localhost and the responsible code being almost completely removed. Yandex similarly ceased its localhost-based tracking operations following the disclosure. 

The revelation prompted broader discussions about platform sandboxing limitations and the need for enhanced Android interprocess communication security, particularly regarding localhost connections that enable cross-application data sharing without user awareness or consent.

Looking for AI-Powered Nex-Gen malware protection? – Download Malware Protection Plus for Free