Researchers disclose a novel covert web-to-app tracking method by Meta (Facebook) and Yandex affecting billions of Android users. Native Android apps—including Facebook, Instagram, and Yandex apps like Maps and Browser—silently listen on fixed localhost ports for tracking data sent by embedded web scripts (Meta Pixel and Yandex Metrica) running in mobile browsers. These scripts transmit browser metadata, cookies (notably Meta’s fbp cookie), and commands over localhost connections to native apps, enabling these organizations to link browsing sessions and web cookies to persistent user identities such as the Android Advertising ID (AAID). This bypasses standard privacy controls like cookie clearing, incognito mode, and Android permission restrictions. Meta’s Pixel JavaScript uses WebRTC with SDP Munging to send the first-party fbp cookie to UDP ports 12580–12585 on localhost, which Facebook and Instagram apps listen to in the background. These apps then send this combined identifier and browsing data to Meta servers, linking web activity with Facebook or Instagram accounts. Around May 2025, Meta began shifting to WebRTC TURN servers instead of STUN, possibly to circumvent browser mitigations. As of June 3, 2025, Meta ceased sending packets to localhost, removing most of the responsible code. Yandex Metrica has used localhost communications since 2017, sending HTTP(S) requests with obfuscated parameters to specific TCP ports (29009, 29010, 30102, 30103) where Yandex Android apps listen. The native app acts as a proxy to inject device identifiers (including AAID) into responses back to the browser script, which then uploads the aggregated data to Yandex servers. Yandex’s use of HTTP requests to localhost additionally poses a browsing history leak risk as malicious third-party apps could potentially intercept these requests and learn visited URLs even in incognito/private browsing. Proof-of-concept apps demonstrate this vulnerability in browsers like Chrome, Firefox, and Edge, while Brave and DuckDuckGo deploy blocking measures reducing exposure. Meta Pixel is embedded on over 5.8 million websites and Yandex Metrica on nearly 3 million, according to web technology tracking sites. Crawls of the top 100k websites show thousands of sites in the US and Europe trigger these localhost communications, often without requiring cookie consent. For example, between 11,890 and 13,468 sites in the US and Europe allow Meta Pixel to share _fbp IDs to localhost without explicit consent. The method leverages Android’s open localhost socket permissions granted to all apps with INTERNET permission, enabling any app to listen on loopback addresses and communicate with browser scripts without platform mediation or user knowledge. This novel abuse of localhost sockets bypasses sandboxing and inter-process isolation on Android. Browser vendors including Chrome, Firefox, DuckDuckGo, and Brave have been notified and implemented or are developing mitigations, such as blockin