New Way to Track Covertly Android Users
Researchers have discovered a new way to covertly track Android users. Both Meta and Yandex were using it, but have suddenly stopped now that they have been caught.
The details are interesting, and worth reading in detail:
Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.
The covert tracking implemented in the Meta Pixel and Yandex Metrica trackers allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they're off-limits for every other site.
-- Links in article:
https://localmess.github.io/
https://www.facebook.com/business/tools/meta-pixel/
https://ads.yandex/metrica
https://source.android.com/docs/security/app-sandbox
https://developer.mozilla.org/en-US/docs/Web/Privacy/Guides/State_Partitioning
https://privacysandbox.google.com/cookies/storage-partitioning
https://www.washingtonpost.com/technology/2025/06/06/meta-privacy-facebook-instagram/
-- See Also:
- Meta and Yandex are de-anonymizing Android users' web browsing identifiers
https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/
(Score: 3, Funny) by Farmer Tim on Wednesday June 11, @09:22PM (1 child)
Came for the news, stayed for the soap opera.
(Score: 3, Funny) by DannyB on Thursday June 12, @09:55PM
If submitted by Yoda were they, read like this, the grammar it would.
A new way to covertly track down Android users have researchers discovered, they have. Yeessss.
Suddenly stopped are Meta and Yandex being caught they have been.
Worth reading and interesting the details are they.
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 4, Interesting) by JoeMerchant on Wednesday June 11, @10:25PM (3 children)
I started running our home network DNS through a Pi-Hole about a month ago. Remarkably painless to setup and use, switching DNS was super simple. Migrating DHCP from my home router to the Pi-Hole took a little more effort, but still done within an hour start to finish, and the DHCP migration is optional (though it gives you more insight into what devices are requesting what site names.)
This tracking sounds like it might bypass the DNS system, so Pi-Hole wouldn't touch it. A lot of what gets blocked by my Pi-Hole is tracking oriented (beacons, etc.) Also worth mentioning: Tor also bypasses DNS entirely on your local machine, no DNS records at all, very much unlike "incognito mode" of Chrome.
Maybe also worth mentioning, my son's cellphone accounts for about 1/2 of the DNS lookup activity in our home, and about 2/3 of that activity is blocked as advertisement or tracking oriented destinations.
We have various iPhone and Android phones come through the house, they both have blocked traffic - different DNS names on the competing OSs, but the volume of blocked lookups is about the same for "normal" adult users on either iPhone or Android.
🌻🌻🌻 [google.com]
(Score: 5, Interesting) by bzipitidoo on Wednesday June 11, @11:13PM (2 children)
Only this week did I learn of alternate DNSes that blocks ads, trackers, malicious web sites, and viruses. I was looking into configuring ad blocking at the router, which I've done before, when I found about about this. (Also have done the trick of cramming a big list of IP addresses into the local hosts file to redirect known ad servers to 127.0.0.1) There's 1.1.1.1 [1.1.1.1] (cloudflare), libredns [libredns.gr], alternate dns [alternate-dns.com], and several others. Seems a more effective way to keep crap away from Android devices, jailbreaking those things being such a pain, and them meant to roam which makes setting up blocking on your home IP connection not that useful. Just set the Android device to use a private DNS and point at one of those ad blocking ones. Sure knocked out the annoying advertising on those included games that have that.
The big question I have about it is, how can we know which of these alternate DNSes can be trusted? I think that any such service that tried some funny business would soon be found out. Much like browser level ad blockers such as uBlock origin, any of those that tried anything odd would be exposed pretty quick.
(Score: 2) by JoeMerchant on Thursday June 12, @02:14AM
With pi hole I configured six secure alternate DNS servers and over a million blocked addresses in a matter of minutes...
Those big block lists of course get a little aggressive sometimes, so there's whitelisting to ensure the addresses you need will resolve.
🌻🌻🌻 [google.com]
(Score: 4, Informative) by hendrikboom on Monday June 16, @01:37AM
Europe is setting up its own DNS to be free of American control.
The Cira, which manages Canada's .ca domain, has set up several pubic-access DNS services which aim to make browsing safer. They call it the Canadian Shield [www.cira.ca].
CIRA DNS IP numbers for Canadian Shield:
Private: 149.112.121.10 149.112.122.10 2620:10A:80BB::10 2620:10A:80BC::10
Protected: 149.112.121.20 149.112.122.20 2620:10A:80BB::20 2620:10A:80BC::20
Family: 149.112.121.30 149.112.122.30 2620:10A:80BB::30 2620:10A:80BC::30
(Score: 0) by Anonymous Coward on Thursday June 12, @02:09AM (2 children)
Otherwise, how could the appropriate tower be selected to connect to an active phone?
(Score: 4, Informative) by pTamok on Thursday June 12, @08:51AM
By signal quality.
The phone monitors the signals that are above noise-level. The 'highest quality' signal wins, and the phone registers with the base-station. The base-station does not need to know where the phone is: merely that it has received a registration request.
The location of which base-station the phone is registered with is known, but that does not give a precise fix.
You can use base-station triangulation to get a better fix on a mobile phone's location, especially if you 'force' the phone to 'hand-over' to other base-stations. Some of the methods require post-processing of the logs of protocol exchanges between the phone and the base station.
Of course, if you have 'location services' enabled, the phone will happily tell third parties where it is, to the best of its ability. But mobile phones, in and of themselves, can operate (i.e. send and receive calls and data) without the phone or the base-station knowing precisely where they are.
(Score: 4, Informative) by DannyB on Thursday June 12, @10:09PM
These aren't the droids you're looking for.
If I understood the article correctly, suppose I use my phone to browse to, some hypothetical, let's call it, FaceTwit. Now FaceTwit sends the browser a number of cookies, including cookies for other sites so that these other sites can cooperate in exchanging your personal information and habits.
Now suppose I also install the FaceTwit app. That app can open ports on 127.0.0.1 and listen. Now, suppose I browse to another site, let's say, TockTick. That site sends the browser cookies, but also JavaScript that sends its cookies to the open port on 127.0.0.1 from the other company (FaceTwit's) app. Now the FaceTwit app can send that info back to its mother ship, to be shared behind the scenes with TockTick. That way they all can have all of your information, all the time. What you do, say and think. As God intended. None of this communication goes over any sketchy ports or IP addresses. It could all go through normal communications between the browser, the local phone apps, and the mother ships on the intarweb tubes. So I don't think PiHole would be an effective defense.
Perhaps I did not read carefully enough or understand?
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 3, Insightful) by pTamok on Thursday June 12, @08:59AM (2 children)
Data acquisition of this kind will continue unabated until the punishments for doing so become meaningful, and not just capable of being written off as the 'cost of doing business'.
Putting 'C'-level business-people in gaol, oddly, doesn't work. Partly because courts are very reluctant to deprive people of liberty for indirect responsibilities (the number of successful corporate manslaughter prosecutions is tiny); partly because there are plenty of people willing to 'take the risk' for the large financial benefits of being in the 'C'-suite - so if a company loses one, it is easy to replace them.
Fines need to be a great deal larger before shareholders will apply pressure to stop the actions that prevent the fines. As long as fines don't affect quarterly profits and/or long-term growth prospects, nothing meaningful will happen.
Do I sound cynical?
(Score: 3, Interesting) by JoeMerchant on Thursday June 12, @11:43AM
Don't call them fines, or penalties, call them tax rebates for good behavior.
A) Tax corporations' gross income as a matter of course - EU does this mainly through VAT, US states have weaker sales taxes, whatever mechanism works.
B) Define "good behavior" and rebate a portion of tax collected for concrete demonstration of good behavior.
🌻🌻🌻 [google.com]
(Score: 4, Insightful) by suxen on Thursday June 12, @11:53AM
I'd say it will continue unabated until the average person cares about it. I've been warning people about the implications of emerging technologies since the early 2000s, the response a universal, "why should I care about surveillance if I'm not doing anything wrong..."
It's all well and good while you trust the people in power and the technology is being used only against bad people so that good people can live in peace. Unfortunately history is replete with examples where the definition of 'bad guy' has been expanded to include people engaged in many benign and at times even beneficial behaviors, not to mention those times where the definition of 'bad guy' has been expanded to include entire classes of people based on criteria such as race or cultural heritage