New Way to Covertly Track Android Users

Researchers have discovered a new way to covertly track Android users. Both Meta and Yandex were using it, but have suddenly stopped now that they have been caught.

The details are interesting, and worth reading in detail:

Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it’s investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.

The covert tracking—­implemented in the Meta Pixel and Yandex Metrica trackers­—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they’re off-limits for every other site.

Washington Post article.

Tags: , , ,

Posted on June 9, 2025 at 6:54 AM20 Comments

Comments

george June 9, 2025 8:12 AM

I think I’ve reached a state of permanent cyncicism regarding big tech.

Nothing they’ve done has ever had any real consequences for them. Users should be disgusted; instead we’re shrugging it off because surveillance capitalism has long been normalized and completely accepted. After all, the only viable alternative is throwing our devices into the trash, which we can’t do because we’re all hopelessly addicted.

Meta should be sued into oblivion for this, in fact they should never be able to recover. And yet, it’s just another Tuesday.

I’m deeply convinced that things will get even worse because of AI. The insane investments must be recouped, and they will be recouped.

/rant

InveigledParsimony June 9, 2025 12:30 PM

Welcome to the Cynic’s Club, George. You aren’t wrong. Per the WarGames prophecy:

“The only winning move is not to play.”

InveigledParsimony June 9, 2025 12:32 PM

Welcome to the Cynic’s Club, George. You aren’t wrong. Per the WarGames prophecy:

“The only winning move is not to play.”

Clive Robinson June 9, 2025 12:37 PM

@ ALL,

The problem…

When putting information in secure containers it is effectively useless as it can not be reached.

When you add a communications channel to the container so the information can be reached / used, by information theory you,

1, Add Redundance.

And further where you have “redundancy” by information theory you,

2, Add a communications channel.

Whilst it might be of a much lower bandwidth, and difficult to see information is still leaked…

And you have in effect,

3, Added a covert side channel.

The first question that comes up is,

“Why don’t we encrypt it?”

Well that might,

A, Hide the “data” in the side channel.

But encryption usually,

B, Won’t hide any “meta-data”

And further usually,

C, Won’t hide any “meta-meta-data”

At the end of the day there is always one piece of information that get’s leaked,

“The channel exists by it being used”

How you lock down or dilute meta-data and meta-meta-data all different but in one respect they are all the same,

“The strongly reduce the efficiency of the system.”

Which is why the known methods of dealing with the leakage of meta-daya and meta-meta-data are almost never used in consumer or commercial products, systems, or software.

As the old saying has it,

“You make your bed and you sleep in it.”

So if you throw down your bed roll on ground you have not taken the time or effort to clear, expect not to wake feeling the way you would like.

Whilst it is possible to design secure systems, the basic rule of thumb that says,

“Efficiency v. Security”

Applies and almost all ways security looses at some point in the system.

In short,

“Modern smart devices can not be secure due to the way they are designed.”

Which is what Google has at best underestimated and Meta and Yandax have exploited.

But ask yourself a question,

“As Google are one of the worst offenders on collecting Personal and Private Information from users and abusing it, was this really accidental?”

not important June 9, 2025 5:39 PM

@Clive asked ‘“As Google are one of the worst offenders on collecting Personal and Private Information from users and abusing it, was this really accidental?”

Nope. They working very closely with deep state and provide any cooperation authorized or not by law. Lawyers could always provide ‘legend’ to cover or exonerate ITs to get them free ride on that.

NO NETWORKING June 9, 2025 7:26 PM

Buy OLD hardware and software now, I’m talking about the hardware which used 5″ floppies and had ZERO networking loaded when you popped in a disk to use a word processor, for example. Snatch them up now before prices soar even more!

As the AI disease (like “social media” is a disease) spreads and overwhelms all of technology, you can remain safe using ancient technology!

Admit it, don’t you miss the sounds of the old dot matrix printers? 😉

Clive Robinson June 9, 2025 9:35 PM

@ NO NETWORKING,

With regards,

“Buy OLD hardware and software now, I’m talking about the hardware which used 5″ floppies and had ZERO networking loaded when you popped in a disk to use a word processor, for example. Snatch them up now before prices soar even more!”

I hear the US FAA Air Traffic people will be getting rid of a load of them “very soon now” it the trumper and his DOdGE minions alow,

https://arstechnica.com/information-technology/2025/06/faa-to-retire-floppy-disks-and-windows-95-amid-air-traffic-control-overhaul/

But hey using “Sneaker-Net” back in the 80’s & 90’s was kind of fun, as you got to meet people 😉

[Shame management cons stole the idea to tell neo-con style C suit types it was OK to slope-off to socialise and call it “Networking”.]

As for Dot-Matrix, I have an Epson for printing out OTPs on three ply tractor paper… The hard part is the “KeyMan” of the printer ribbons.

And another two for printing out HF WeFax and similar from VHF NOAA Sats,

https://m7smu.org.uk/post/wefax-gallery/

Back in the 70’s I had to use an old fashioned valve/tube TV with the scan circuits changed to do “slow scan” and use a camera with held open shutter in the “dark room” then develop the 35mm film and mount in slides to “project” the final image on the wall. Fun but messy and actually quite dangerous, and not alowed these days due to H&S.

Which is why in the 80’s I wrote code for a Z80 cpu that I’d designed a board for, with two other boards a four bit ADC made of discreet components and a “Centronics” parallel printer port card (I still have it in the “junk box” that is my garage 😉 I later wrote the same code but for an V20 –8088 equivalent– portable computer from Amstrad, the PPC640,

https://en.m.wikipedia.org/wiki/Amstrad_PPC

I put in an 8087 and still use it for running code I wrote in assembler using MS-Debug or Qbasic/Edit and later Small-C and I still use the Mirror II comms terminal software on all the 486 systems I have and use as either terminals or text editors (yup Mirror had a WordStar type editor built in, and I’ve done a lot of code writing in it over the years). As for floppies yup I’ve a load of 5&1/4 and 3.5 inch drives thus discs with 4 decades of stuff on them…

John Smith June 10, 2025 1:50 AM

I use a de-Googled phone running CalyxOS.

There are other operating systems such as Graphene as well.

To paraphrase US military-speak somewhat: It is the duty of every prisoner to resist, and to try to escape.

If you feel imprisoned by Big Tech, then resist…and try to escape.

Julian June 10, 2025 3:06 AM

I run the /e/ deGoogled phone OS. Plus NoScript on my browsers too.

It is great until you encounter a site where the developers have been drinking from the Google Cool-Aid fountain.

EasyJet have finally reversed the “feature” of their Android app that insisted on downloading a boarding pass into Google Wallet – but for a while that was the only way to save your boarding pass.

Now my biggest bugbear is Google reCaptcha – where I need to allow Google in NoScript for it to work. Private Windows sort of fixes it, but of course leaves everything in that session open to Google. There are better reCaptcha alternatives that don’t require selling your soul to Google – sadly developers seem not to care.

Clive Robinson June 10, 2025 3:34 AM

@ John Smith,

With regards,

“I use a de-Googled phone running CalyxOS.”

Are you aware that,

1, “de-Googled” usually means only Googles built in Apps being removed?

2, “CalyxOS” is actually Android at the lower levels with the Linux OS towards the bottom?

3, This issue is a case of the Unix OS working as designed / expected / normally?

4, Other Unix OS’s using additional software and configuration to stop this behaviour?

I don’t see in a quick scan of the CalyxOS blurb it has that sort of additional software. As it does not provide sufficient info on the “Datura firewall” and how it configures Netd,

https://calyxos.org/docs/tech/datura-details/

But as the title of Carey Parker’s
book indicates,

“Firewalls Don’t Stop Dragons”

So I can not say but I suspect if those apps that have been highlighted in the article work on CalyxOS then it’s probable that it will be just as vulnerable as stock Android…

Maybe you should ask the CalyxOS people if they have checked yet, and if they have what they found?

Clive Robinson June 10, 2025 7:17 AM

@ Bruce, ALL,

You might have wondered about why I pondered that Google might be in part if not fully to blame.

Well now it’s up and publicly available I can provide a link to something I’d been made aware of and I was mulling it over at the time,

https://brutecat.com/articles/leaking-google-phones

Have a read and ask the same question…

lurker June 10, 2025 10:36 AM

@Clive Robinson, ALL
re Google’s got your number

Only if you gave it to Gg. It appears to me that Gg is leaking only those phone Nrs that it has stored against an account. It’s interesting that the way to force the leak is through the “Lost Password” process. This might be used more often these days since Gg forced the use of Oauth and “trusted device” onto Gmail, and the Play Store, and folks forget their password more easily thru not using it daily.

Which is why Gg keep pushing their reminders to “enter your phone Nr for password recovery/security/bs”. That is, pushing reminders to those diehards who refuse to give the Nr, on the basis they never want Gg to phone them.

Clive Robinson June 10, 2025 2:46 PM

@ lurker,

With regards,

“That is, pushing reminders to those diehards who refuse to give the Nr, on the basis they never want Gg to phone them.”

You left out “or spy on them”.

The thing is in some ways, handing over your “phone number” –or the network identifiers etc behind it– is more dangerous than giving your social security number.

And we know –or should do– just how much damage the SSNo can do…

Bunker Man June 12, 2025 11:54 PM

Every 5 yrs, I come up from my hidden bunker, deep in the Appalachian Mountains forest, spend 5 days in a local town seeing what is happening in the world and if it is safe to come out again to live among humans.

Nope. Back to the bunker for 5 more years.

ResearcherZero June 14, 2025 4:00 AM

@NO NETWORKING

Alternatively you could disable the networking on new gear. You can even buy gear with mechanical switches to disable annoying I/O, or add them yourself and remove built in mics.

A little research before getting started is required to buy or build the right system with a healthy support environment that provides the features that you actually need.

Install an operating system without propriety software and take control of the device. This may require some jail breaking for mobile devices, but is simple with laptops/desktops.

You can compile your own custom kernel for Linux systems, but this will require recompiling the kernel each time the kernel receives an update, then updating the boot loader. This is only needed to get extra performance from the system and disable unwanted kernel support.

There are distributions built purposely for anonymity like Whonix and others…

‘https://www.zdnet.com/article/5-best-linux-distros-for-staying-anonymous-when-a-vpn-isnt-enough/

Compatible hardware is required for Qubes and the learning curve is steeper.
https://www.comparitech.com/blog/vpn-privacy/anonymity-focused-linux-distributions/

Who? June 15, 2025 11:20 AM

For decades we have been using an Internet Citizen’s Band (“ICB”) service running on the loopback interface of one of our servers. It is easily reachable using Unix sockets over OpenSSH, so it is both secure (in the sense it is not reachable from the Internet without being authenticated to the ssh(1) service) and end-to-end encrypted.

We do the same with our WireGuard endpoints (OpenBSD appliances with a ssh(1) service running on the loopback interface, that becomes reachable as soon as we have access to the wg(4) interface on that machine).

I would say this technique is not restricted to Android and iOS devices; it can be used, at least, on any machine supporting Unix sockets.

Who? June 15, 2025 11:26 AM

…perhaps it is time to filter communication with lo0, lo1, lo2, … too.

Should we consider “set skip on lo” on pf(4) bad advice from now?

George June 27, 2025 10:14 PM

Can you find the reference to Ai on the smartphones?

“Then I saw another beast who came out of the ground. It had two horns like a lamb, and it was speaking like the dragon. It did great wonders before the first beast. And it made those dwelling on the ground pray to the first beast, whose wounds were healed. It made fire fall from the heavens before mankind. It inflamed the children of mankind with signs and wonders. And it told those dwelling on the earth to make an idol of the beast, whose wounds from the sword were healed.

And it was permitted to give to the idol of the beast a spirit and a soul, so that it would be able to speak.

And whoever did not want to pray to the idol of the beast would be killed. It made them all – the great and the small, the wealthy and the poor, the slaves and the free – take a sign in his right hand or in their foreheads, so that the only one who has the sign in his hands, or forehead, or the name belonging to the beast, or the number of its name would be able to buy or sell. Here is wisdom and understanding: Appoint one who understands, to calculate the number of the beast, for it is a number belonging to a person, for you will discover the sum is six hundred and sixty-six.”

If this version sounds different it is because they found an original Hebrew version in a little place in India last year. https://theh.substack.com/p/the-most-relevant-archeological-discover

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.