A recent investigation has found that tech giants Meta, parent company of Facebook and Instagram and Russia’s leading search engine provider Yandex have been covertly collecting web user data through Android apps by exploiting a loophole in the operating system’s “localhost” function. This technique enabled them to bypass privacy safeguards like incognito mode and even VPNs, raising serious concerns about user surveillance and data protection.
Researchers from Radboud University in the Netherlands and IMDEA Networks in Spain uncovered that Meta used a hidden mechanism to track users’ web activity on Android devices, regardless of the privacy tools in place. Through a secret data exchange between websites embedded with Meta’s tracking tool (Meta Pixel) and the company’s mobile apps, Meta could link user activity across platforms even while users were browsing in private mode or using a virtual private network.
Basically, this method allowed Meta to sidestep browser-level privacy controls by operating through Android’s internal app communication system, essentially giving the company access to browsing data that users believed was protected. Following media inquiries, Meta has reportedly shut down this tracking system and stated that it is working with Google to address the loophole. Google, in turn, is conducting its own investigation and preparing platform-level changes to prevent similar abuses in the future.
At the same time, Yandex has come under scrutiny for similar practices through its AppMetrica software development kit (SDK). Found in over 52,000 apps globally including apps for Android and iOS—AppMetrica was shown to harvest metadata such as IP addresses, device IDs, and network details. This data was transmitted to servers located in Russia and Finland, raising alarms given Russia’s legal framework that can compel companies to share user data with government agencies.
Although Yandex claims the collected data is anonymized and that users give consent through app agreements, privacy researchers warn that the metadata could still be used to identify individuals, especially in the hands of state actors. Several app developers have already begun removing the AppMetrica SDK from their apps in response to the findings.
These revelations add to a disturbing trend in which major tech companies exploit backdoor pathways to gather user data often without explicit consent and in defiance of common privacy expectations. The fact that such tracking can persist even through incognito browsing or VPNs signals a deeper vulnerability in the mobile ecosystem.
As debates about data privacy continue worldwide, this case serves as a stark reminder that privacy tools alone are not enough. Users should remain cautious, regularly review app permissions, and demand greater transparency from tech companies. More importantly, regulators and platform providers must act swiftly to close the loopholes that enable such invasive practices and uphold the right to digital privacy