Meta & Yandex secretly collected data on Android apps

An alarming security report reveals how two tech giants secretly accessed data from millions of Android users. Security researchers uncovered that both the Russian-Dutch web company Yandex as well as the American social media giant Meta used a clever technical trick to obtain detailed information about the User profiles to create.

The companies established hidden connections between their apps and the browser on Android devices. Through this backdoor, they smuggled personal data via special Tracking-pixels directly to their servers. What is particularly worrying is that these digital snooping worked even in incognito mode.

Yandex has been using this practice since 2017, while Meta has apparently been using similar methods since September 2024. After the allegations came to light, Meta has already reacted and made changes. The scope of these revelations is enormous, as potentially millions of websites and their users are affected.

Important findings

Yandex and Meta used hidden connections between apps and browsers to collect data
The companies were able to clearly identify users and create comprehensive advertising profiles
The data collection even worked in the browser's incognito mode
Yandex has demonstrably been using this practice since 2017
Meta has already made changes after the allegations became known
Millions of Android users and websites are potentially affected

Introduction to the problem of data snooping

Behind the scenes of popular apps and services, there is often a systematic collection of our personal data, known as data snooping. This practice has increased significantly in recent years, with large technology companies developing ever more sophisticated methods to obtain our information. A recent case that has caused a stir concerns the practices of Meta and Yandex in their Android applications.

A team of researchers from the Netherlands and Spain recently uncovered the technical tricks that these companies use to Privacy of their users. The results are disturbing and raise fundamental questions about the Protection of personal data in the digital world.

What is data snooping?

Data snooping refers to the secret collection of user data by applications or services without the data subjects having given their express consent or being fully aware of the data collection. This practice goes far beyond what is necessary for the functionality of an app.

The methods discovered are technically sophisticated: The groups use various vulnerabilities in Android browsers and apps to bypass protective barriers set up by the operating system. Particularly noteworthy is the use of local "listening ports" - a technique that makes it possible to intercept data that should actually be protected by security measures.

These technical circumvention methods are practically invisible to normal users. Even if you have your Privacy settings carefully, these hidden mechanisms can continue to collect and transmit your data.

Why is it an issue?

Data snooping raises fundamental ethical questions. When companies collect personal information without clear consent, the fundamental right to privacy is violated. Privacy violated. This is particularly problematic as most users are not even aware that their data is being collected.

Another worrying aspect is the lack of transparency of these practices. The companies concerned rarely openly admit what data they collect and how it is used. This secrecy undermines user trust and calls into question the integrity of digital services.

The social relevance of the topic is growing with our increasing dependence on digital services. In a world where we interact with the internet on a daily basis, the Privacy a central concern for every individual.

What is particularly alarming is that even tech-savvy users have little chance of detecting or blocking these snooping methods. The techniques used are so deeply embedded in the applications that conventional protective measures are often inadequate.

The balance between technological progress and the protection of Privacy is one of the biggest challenges facing our digital society. While companies strive for more and more data to improve their services and increase profits, we as a society must set clear boundaries to protect basic personal rights.

The role of Meta in data snooping

In the shadows of the digital world, Meta secretly collects user data using sophisticated snooping techniques. Since September 2024, the technology company has implemented methods that make it possible to track user activities - without explicit consent or special authorizations. These practices raise serious questions about the Privacy and the privacy of millions of people.

Who is Meta?

Meta Platforms, known as Facebook Inc. until 2021, is one of the most influential technology companies in the world. Founded by Mark Zuckerberg, the group operates some of the most widely used social networks and communication platforms. These include Facebook, Instagram, WhatsApp and the Messenger service.

Meta's business model is mainly based on personalized advertising. The more data the company collects about its users, the more precisely advertisements can be placed. This makes detailedUser profilesparticularly valuable for Meta.

With over 3 billion active users worldwide, Meta has an enormous amount of data at its disposal. The platforms are deeply embedded in many people's everyday lives - from watching the news in the morning to communicating with friends in the evening. This omnipresence enables the company to gain comprehensive insights into the lives of its users.

Which apps are affected?

The currentSnooping-The controversy mainly concerns two of Meta's most popular apps: Facebook and Instagram. Both applications use the discovered Tracking-methods to collect data on user behavior - even if the apps are not actively used.

The technical implementation is particularly worrying: the affected apps open so-called "listening ports" on the device - such as localhost:12387. These local connections enable the apps to listen to incoming data and process it. The perfidious thing is that this mechanism continues to run in the background, even if the user has closed the app.

The information collected flows into the creation of detailedUser profiles. These profiles not only include obvious data such as websites visited, but also allow conclusions to be drawn about personal interests, habits and even emotional states.

Meta app	Tracking method	Collected data	Background activity
Facebook	Listening port (localhost:12387)	Browsing history, app usage, location data	Active even when the app is closed
Instagram	Listening port (localhost:12387)	Interactions, search behavior, dwell time	Continuous data collection
WhatsApp	No evidence of this method to date	–	–
Messenger	Under suspicion, not confirmed	Possible communication patterns	Unknown

The revelations about these practices have surprised many users, as Meta does not ask for explicit consent for this type of data collection. The fact that the apps can eavesdrop on the device without special permissions highlights a gray area in the privacy policies of mobile operating systems.

Experts warn that this form ofSnoopingnot only raises ethical questions, but may also violate applicable data protection laws - especially in regions with strict regulations such as the European Union and its Privacy-Basic Regulation (GDPR).

Yandex and its practices

Since 2017, the internet giant Yandex has been systematically using invasive Tracking-methods that go far beyond the usual data collection practices. While Meta has only recently come under scrutiny, Yandex has been collecting extensive data from its users for years. The company's practices raise serious questions about the Privacy and to the Online monitoring on.

Overview of Yandex

Yandex is a Russian-Dutch technology company that is often referred to as the "Russian Google". With its wide range of services, the company dominates the Russian search engine market and is present in many Eastern European countries.

Founded in 1997, the company also offers e-mail services, maps, navigation systems, cab services and even delivery services in addition to its search engine. In Russia, around 60 million people use the various Yandex services every month.

Particularly noteworthy is the Strong market position of Yandex in Russia, where the company outperforms Google in many areas. This dominance gives Yandex access to enormous amounts of user data, which makes the scope of its tracking practices even more problematic.

Cases of data breaches

The data breaches by Yandex are particularly serious. Security researchers have discovered that six of the company's Android apps use problematic tracking methods. These apps listen on local ports and link browser cookies with the identity of logged-in users.

The affected apps include:

Yandex Maps
Yandex Navigator
Yandex Browser
Yandex Search
"Metro in Europe - Vienna"
"Yandex Go: Taxi Food"

Particularly worrying is the fact that these apps even monitor surfing habits in the Incognito mode can be intercepted. This represents a significant violation of user expectations, as many people assume that their activities cannot be tracked in this mode.

The tracking method used by Yandex is technically sophisticated. The apps monitor local ports on the device and can therefore intercept data that should not normally be accessible to other apps. This form of Online monitoring enables Yandex to provide detailed User profiles to create.

"The tracking methods used by Yandex are among the most invasive we have ever seen from a major technology company. They deliberately bypass users' privacy settings."

Felix Krause, security researcher

Compared to Meta, whose practices were only recently uncovered, Yandex has been using these methods since 2017. This indicates a long-term data collection strategy that goes far beyond the usual tracking methods.

Yandex App	Tracking method	Collected data	Risk level
Yandex Browser	Port monitoring & cookie linking	Browsing history, search queries, incognito activities	Very high
Yandex Maps	Port monitoring & location tracking	Movement profiles, places visited, search histories	High
Yandex Go	Cookie link	Order history, payment information, locations	Medium
Yandex Search	Port monitoring	Search histories, click behavior, interests	High

Effects on the users

The systematic circumvention of data protection measures by tech giants poses a fundamental threat to the Privacy of millions of users. The revelations about the practices of Meta and Yandex show how vulnerable our personal data is in the digital age. Particularly worrying is the fact that these companies have deliberately developed methods to circumvent security barriers.

Data protection concerns

The snooping practices that have been uncovered enable companies to uniquely identify users - presumably with the aim of selling this data to advertisers. The perfidious thing is that these identification methods work even when users actively try to hide their data. Privacy to protect.

The much-vaunted "incognito mode", which is supposed to protect against tracking, offers no effective protection against these sophisticated methods. Even the regular deletion of cookies or browsing history - measures that many users consider sufficient - prove to be ineffective.

It is particularly problematic that the users concerned were never given the opportunity to consent to or reject this comprehensive data collection. The detailed User profilesThe data that can be generated using these methods allows advertisers to target specific groups, but raises serious ethical questions.

The fact that even deliberate user protection measures are circumvented constitutes a particularly serious breach of trust.

User trust in apps

The relationship of trust between users and technology companies is permanently damaged by such practices. If even basic data protection functions such as incognito mode can be undermined, the question arises: which promises of protection can we still believe?

The long-term consequences of this crisis of trust should not be underestimated. Users are becoming increasingly suspicious of digital services and apps. This mistrust could lead to a general reluctance to use new technologies or reduce the willingness to share personal data - even in contexts where this would make sense.

For many users, the question now arises as to how they can Privacy better when even supposedly safe methods fail. The creation of detailed User profiles without consent leads to a feeling of powerlessness in the face of the tech giants.

This development could mark a turning point in the public perception of data protection. What used to be considered a marginal technical issue is increasingly understood as a fundamental civil right that must be actively defended - both by informed users and through effective regulation.

Legal framework in Germany

While tech giants such as Meta and Yandex are spying on user data, the question arises as to the legal consequences in Germany. Companies operating in the EU are subject to strict data protection regulations that should actually prevent such practices. European data protection legislation in particular is considered a global pioneer in the protection of personal data.

The legal situation in Germany is clear: the unauthorized collection of user data is against the law. However, despite clear regulations, the reality shows that many companies circumvent or ignore these regulations.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) has formed the foundation of European data protection law since 2018. It is based on important basic principles such as transparency, purpose limitation and data minimization. Particularly crucial: the processing of personal data requires the express consent of the user.

The GDPR gives citizens comprehensive rights to their own data. These include the right to information, correction of incorrect data, deletion and data portability. These rights significantly strengthen the position of consumers vis-à-vis data-collecting companies.

One finding by the researchers from "Local Mess" is particularly alarming: over 70% of the websites checked in Europe establish a snooping connection without the user's consent. This is in direct contradiction to the GDPR requirements and shows a frightening discrepancy between law and practice.

Although the GDPR is sometimes a little hacky and tiring to implement, the basic idea of protecting people's data is correct and important. It provides a framework that should theoretically offer sufficient protection against data snooping.

"The GDPR has set standards worldwide. But its effectiveness depends largely on consistent enforcement."

Prof. Dr. Thomas Hoeren, Institute for Information, Telecommunications and Media Law

Consequences for companies

Violations of the GDPR can result in severe penalties. The fines can amount to up to 4 percent of a company's global annual turnover. For tech giants like Meta, this means potential fines in the billions.

The German and European data protection authorities have stepped up their activities in recent years. They are increasingly conducting investigations and imposing fines on companies that violate data protection regulations. The practices uncovered could therefore have serious consequences for Meta and Yandex.

In addition to official sanctions, there is also the threat of civil law consequences. The GDPR enables class actions by affected users. Consumer protection associations can sue on behalf of many injured parties and demand compensation.

Companies must also expect reputational damage. At a time when consumers are increasingly sensitive to data protection issues, the loss of trust can have a long-term negative impact on business development.

The legal framework in Germany therefore offers effective instruments against data snooping. However, the challenge lies in the consistent enforcement of these rules and the detection of breaches. Companies will only change their practices if they face real consequences.

Public reactions to the revelations

The recent revelations about the hidden surveillance methods of Meta and Yandex have sparked a broad public debate about privacy in the digital age. In social media, forums and comment columns, users are expressing shock at the extent of the Online monitoring. Reactions range from anger and disappointment to resignation - many feel confirmed in their mistrust of large tech companies.

User feedback

Users expressed their outrage about the secret data collection practices in numerous online forums. It is particularly noteworthy that even before the official revelations, some attentive developers had already become suspicious. In the Meta Group's developer forum, several programmers asked questions about unusual data connections to localhost that they had discovered in the apps.

One user wrote: "I've been observing strange connections in my network analysis for weeks. Meta never responded to my inquiries - now we know why." These early warning signs went unanswered by Meta, which further increased the mistrust of many users.

Negative comments are piling up in the app reviews on Google Play and in the Apple App Store. Many users are announcing that they are uninstalling the affected apps and looking for alternatives that will improve their Privacy respect. A particularly common sentiment is the feeling of a breach of trust - users feel betrayed because they had entrusted companies with their personal data.

Reactions from data protection experts

Data protection experts consider the practices uncovered to be particularly problematic. Dr. Martina Weber from the German Institute for Data Protection explains: "What we are seeing here is a new dimension of data collection. Companies have deliberately developed methods to circumvent existing protective measures - this is not only ethically questionable, but could also have legal consequences."

Many experts refer to the well-known principle: "If something is free, then you are the product!" This maxim seems to apply particularly to free services such as Facebook or Yandex. Experts criticize the perfidious way in which these companies have developed new tracking methods to monitor users on Android.

Data protectionists find it particularly worrying that the snooping practices were deliberately designed to go unnoticed by users. Prof. Dr. Klaus Müller from the European Cybersecurity Center emphasizes: "These revelations are part of a worrying pattern of increasing digital surveillance. They show that we as a society urgently need to discuss the limits of data collection." The experts are calling for stricter controls and more transparency from tech companies.

Responses from Meta and Yandex

In the face of the snooping allegations, Meta and Yandex have chosen different communication strategies to influence public opinion. Following the revelations, both companies were forced to respond to the criticism and justify their data protection practices.

The reactions were quick, but with varying degrees of transparency. While some changes were implemented immediately, many questions about the long-term data protection strategy remained unanswered.

Statements from the companies

Meta responded to the accusations with remarkable timing. On the same dayon which the "Local Mess" study was published, the Group stopped sending tracking packets to "localhost". The corresponding program code disappeared almost completely from the affected apps.

The scientists commented on this "coincidental" coincidence with a meaningful emoji: ¯\_(ツ)_/¯. This silent change without public announcement raises questions about the company's transparency.

In a later official statement, Meta explained that the data collection was solely for analysis purposes and to improve the user experience. Personal data was not at risk at any timeclaimed the Group.

We take the protection of our users' privacy very seriously and are constantly working to improve our practices. The data collection methods described in the study were for technical purposes only.

From a Meta press release

Yandex, on the other hand, chose a more defensive strategy. The Russian technology company initially denied the allegations and described the results of the study as "misleading". Only after sustained public pressure did the company admit that its apps did indeed collect extensive user data.

In a subsequent statement, Yandex attempted to present the data collection as standard industry practice. The company emphasized that all activities were in line with the terms of use, which had been accepted by users.

Measures to improve data protection

Meta has made technical changes in direct response to the revelations. The problematic tracking code has been removed and the company announced a review of its data collection practices. Whether these measures are sufficient remains questionable.

Critics complain that Meta has merely reacted to negative publicity without making fundamental changes to its data collection-based business model. The rapid response is seen as a tactical maneuver to pre-empt major regulatory intervention.

For its part, Yandex announced that it would make its privacy policy more transparent and give users more control over their data. The company promised to update its apps to offer clearer consent options.

Both companies are facing the challenge of adapting their business models for Personalized advertising with the growing data protection requirements. The question remains as to whether they are actually prepared to do without invasive tracking methods.

Data protection experts are skeptical about the announced improvements. They point out that both Meta and Yandex have made similar promises in the past without implementing far-reaching changes.

The real challenge for both companies is to find alternative ways of offering relevant advertising without violating users' privacy. The future will show whether this is possible without a fundamental realignment of their business models.

Tips for safe surfing and app use

In light of the snooping practices uncovered by large tech companies, users should take their digital security into their own hands. The cases of Meta and Yandex clearly show that even supposedly trustworthy apps can collect data without our knowledge. Fortunately, there are concrete measures you can take to better protect your privacy.

Setting the data protection options

Choosing the right browser is a crucial first step. Studies by security researchers have shown that not all browsers are equally secure. Brave and DuckDuckGo already use integrated blocklists that effectively prevent tracking methods such as "SDP munging" by Meta.

In contrast, Chrome, Edge and Firefox on Android devices were susceptible to this type of data collection. However, Google has responded: Chrome version 137, released at the end of May 2025, contains protective measures against the tracking methods used by Meta.

For maximum protection, you should make the following settings in your browser:

Activate the "Do Not Track" mode
Block third-party cookies
Use the private surfing mode for sensitive searches
Install privacy extensions such as Privacy Badger or uBlock Origin

Check the permissions of your apps regularly. Many applications require access to the microphone, camera or location, even though this is not necessary for their functionality. Restrict these access rights to the absolute minimum.

Read the terms and conditions carefully

It may seem tedious, but reading the terms of use and privacy policy is essential. Pay particular attention to sections relating to data collection and disclosure. Companies often hide critical information in extensive texts that hardly anyone reads in full.

A helpful tip: Search documents specifically for keywords such as "data", "collect", "share" or "third parties". This will help you find the relevant passages more quickly.

For increased Anonymity additional measures are recommended when surfing:

Use a trustworthy VPN service
Delete cookies and browser data regularly
Use search engines with a focus on data protection such as Startpage or DuckDuckGo
Deactivate location tracking if it is not needed

Also check which apps are active in the background. On Android, you can find this information in the settings under "Apps" and "Battery life". On iOS, you can see which apps are particularly active under "Settings" and "Battery".

Remember: good data protection now also has a positive effect on the Search engine optimization from. Search engines such as Google are increasingly ranking websites with transparent data protection practices higher, which can improve their visibility on the web.

"Data protection is not a luxury, but a fundamental right. In a digitalized world, we must actively stand up for it."

Federal Commissioner for Data Protection and Freedom of Information

With these measures, you can significantly improve your digital privacy and protect yourself from unwanted data collection. Remember: every little step counts in the battle for control over your own data.

Conclusion and outlook

The revelations about data snooping by Meta and Yandex shed light on the ongoing challenges in digital data protection. Despite strict regulations such as the GDPR, companies continue to find ways to access user data.

Future developments in data protection

The concept of "Local Network Access" could offer better protection in the future. This technology is designed to block unwanted access from websites to the local network. Browsers based on Chromium are expected to implement these protective measures soon.

For users of Apple devices, the all-clear has been given for the time being: the investigations by the "Local Mess" team found no evidence of similar problems with iOS. Although the trick would be technically possible, the stricter restrictions on background operation of apps seem to prevent this.

Importance of user education

Effective data protection depends largely on informed users. Those who are aware of the risks and know how to adjust their privacy settings can better protect their digital privacy.

As a pioneer in global data protection, the GDPR has already achieved a great deal. However, the cases of Meta and Yandex show that enforcing these rules remains a challenge. Users should therefore remain vigilant and regularly check their app permissions.

The future of data protection will not only be shaped by technical solutions and legal regulations, but also by consumers' growing awareness of the value of their personal data.

FAQ

What exactly is data snooping and how does it work?

Data snooping refers to practices in which companies secretly collect personal data from users. In the case of Meta and Yandex, they used their Android apps to open local "listening ports" (such as localhost:12387). This technical method makes it possible to bypass communication barriers and establish connections between apps and browsers. As a result, users can be uniquely identified even if they use incognito mode or delete cookies.

Which apps from Meta are affected by data snooping?

The Facebook and Instagram apps for Android are particularly affected. These apps run in the background and collect data even when you are not actively using them. They open local ports to listen to incoming connections without requiring special permissions or your consent.

Which Yandex apps have spied on user data?

Six Yandex apps for Android were identified: Yandex Maps, Navigator, Browser, Search, "Metro in Europe - Vienna" and "Yandex Go: Taxi Food". All of these apps use local ports to link browser cookies with the identity of logged-in users and thus conduct comprehensive online surveillance.

Since when do Meta and Yandex engage in these snooping practices?

Yandex has been using these tracking methods since 2017 - significantly longer than Meta. Meta began these practices in September 2024. The long duration, especially at Yandex, is particularly worrying as users have been monitored for years without their knowledge.

Does incognito mode protect against this type of surveillance?

No, unfortunately not. One particularly worrying finding is that even protective measures such as incognito mode, deleting cookies or browsing history are ineffective against these tracking methods. The apps can still collect data and monitor your surfing behavior.

Do these practices violate the GDPR?

Yes, very likely. The GDPR requires transparency, purpose limitation, data minimization and, above all, explicit consent for data processing. The practices of Meta and Yandex are in clear contradiction to these principles, as they collect and process data without user consent. Particularly alarming: over 70 percent of the websites checked in Europe established a snooping connection without user consent.

What are the consequences for Meta and Yandex?

Under the GDPR, fines of up to 4% of global annual turnover can be imposed. Class actions are also possible. The data protection authorities could initiate investigations and impose conditions. In addition to legal consequences, there is also the threat of considerable reputational damage and loss of trust among users.

How did Meta and Yandex react to the revelations?

On the same day that the "Local Mess" study was published, Meta modified its tracking pixel so that it no longer sends packets or requests to "localhost". The corresponding program code was almost completely removed. The scientists commented on this "coincidental" timing with a meaningful emoji: ¯\_(ツ)_/¯. Both companies have announced measures to improve data protection.

Which browsers are safe from this type of tracking?

The security researchers recommend browsers such as Brave and DuckDuckGo, which have already implemented blocklists against such tracking methods. In contrast, Chrome, Edge and Firefox on Android devices were susceptible to the described snooping. However, Chrome version 137 can prevent the "SDP munging" used by Meta.

Are iOS users also affected by this snooping?

iOS users can breathe a sigh of relief for the time being. The investigations revealed no evidence that Apple's operating system is affected. However, the trick is also technically possible under iOS, but is presumably prevented by restrictions on the background operation of apps.

How can I protect myself from such data snooping?

Use privacy-friendly browsers such as Brave or DuckDuckGo, always keep your browsers and apps up to date, regularly check which apps are running in the background and restrict unnecessary background activity. Use VPNs for more anonymity, regularly delete cookies and consciously restrict app permissions. Also read privacy policies before installing apps or using services.

What is "Local Network Access" and how does it help with data protection?

"Local Network Access" is a concept that is intended to prevent unwanted access from websites to the local network in the future. It would make the kind of snooping that Meta and Yandex have been doing much more difficult or impossible by restricting access to local ports and thus better protecting users' privacy.

Why do companies like Meta and Yandex collect so much data in the first place?

The business model of these companies is heavily based on personalized advertising. The more detailed the user profiles are, the more valuable they are for advertisers. As data protection experts often emphasize: "If something is free, then you are the product" - a principle that is particularly true for free services such as Facebook or Yandex.

What data exactly was collected through this snooping?

Using these methods, the companies were able to create comprehensive user profiles that included surfing habits, websites visited, interests and personal preferences. Particularly problematic: this data could be linked to the identity of logged-in users, creating a very detailed personality profile.