Full Report
Meta is known for not taking the privacy of people seriously. It wants to track people and sell the data at all costs. This post is about a mechanism for tracking on Android that bypassed the sandbox restrictions to link what you do in the browser with your real identity even if you never logged into your account. The Meta Pixel is a piece of code to measure the effectiveness of advertising. This is on many, many websites that help track individual users. The Facebook app runs in the background once opened on Android. It opens a listener on a TCP or UDP port on the device. This is not that abnormal for an app to do. The combination of the two above is what causes the issue. When you visit a website that has the Facebook pixel on Android, it will attempt to connect to this port. In particular, it will send the _fbp cookie limited to a particular session. Based upon this cookie, Facebook knows what website this was linked to. Once it's sent to the user app, it now knows who was visiting the site! What's crazy about this is that you could be on a VPN or incognito mode and it still can track you. This has been coined localhost tracking. The captured data includes browsing history, products, registrations on websites and more. The author estimates that fines will be around 164 billion, which is an insane amount. The localhost tracking is an interesting technique! It's sad that this was found in the wild though.
Analysis Summary
# Tool/Technique: Localhost Tracking (Meta Pixel Sandbox Bypass)
## Overview
Localhost tracking is a sophisticated data exfiltration and deanonymization technique discovered in the wild. It utilizes a combination of a native mobile application and a web-based tracking script to bypass Android's sandbox restrictions. By establishing a local communication channel between a mobile browser and a backgrounded app via local TCP/UDP ports, Meta can link anonymous web browsing activity (including incognito sessions and VPN traffic) to a specific, logged-in user identity.
## Technical Details
- **Type**: Technique / Cross-App Communication Tracking
- **Platform**: Android (Target), Web Browsers
- **Capabilities**: Sandbox escape, user deanonymization, cross-session tracking, bypassing VPN/Incognito protections.
- **First Seen**: Discovered/Detailed extensively in June 2025 (Research credited to Tim Vlummens, Narseo Vallina-Rodriguez, et al.).
## MITRE ATT&CK Mapping
- **[TA0040 - Impact / TA0037 - Collection]**
- **[T1633 - Identifiers Cloud Binding]** (Linking web activity to account identity)
- **[T1624.001 - Event Triggered Execution: Broadcast Receivers]** (App listening in background)
- **[TA0005 - Evasion]**
- **[T1620 - Reflective Code Loading / Sandbox Evasion]** (Bypassing browser isolation via local network stack)
- **[TA0011 - Command and Control]**
- **[T1095 - Non-Application Layer Protocol]** (Use of STUN/WebRTC for local port communication)
## Functionality
### Core Capabilities
- **Local Listener Establishment**: Upon execution, the native Facebook/Instagram app opens a background service that listens on specific local ports (TCP 12387, 12388 and UDP 12580-12585).
- **Identifier Synchronization**: The Meta Pixel (JavaScript) in the mobile browser generates or retrieves a session-specific `_fbp` cookie.
- **Local Network Probing**: The browser script uses WebRTC (STUN) SDP Munging to "shout" the cookie to the local device's network stack, targeting the ports opened by the backgrounded app.
- **Deanonymization**: The native app receives the `_fbp` cookie and transmits it to Meta’s servers via a GraphQL mutation, paired with the user's permanent account ID.
### Advanced Features
- **Sandbox Circumvention**: Effectively bridges the gap between the mobile browser sandbox and the native app environment without requiring standard Inter-Process Communication (IPC) permissions.
- **Resilience to Privacy Tools**: Because the communication happens on the `localhost` (127.0.0.1) level inside the device, VPNs and "Incognito" browser modes fail to block the correlation.
## Indicators of Compromise
- **Network Indicators**:
- `https://www[.]facebook[.]com/tr` (Pixel tracking endpoint)
- `https://graph[.]facebook[.]com/graphql` (GraphQL mutation endpoint for identity linking)
- **Behavioral Indicators**:
- **Internal Port Binding**: Mobile device listening on TCP ports `12387`, `12388`.
- **Internal Port Binding**: Mobile device listening on UDP ports in the range `12580-12585`.
- **WebRTC Anomalies**: Excessive or unusual WebRTC/STUN traffic directed toward the local interface (127.0.0.1) originating from the browser.
## Associated Threat Actors
- **Meta (Facebook/Instagram)**: Developer and primary operator of the tracking infrastructure.
## Detection Methods
- **Behavioral Detection**: Monitoring for mobile applications that open local listening ports without a documented functional requirement (e.g., casting or syncing features).
- **Network Analysis**: Inspecting outgoing GraphQL mutations from mobile apps for parameters that include browser-based identifiers like `_fbp`.
- **Browser Monitoring**: Identifying scripts attempting to reach common localhost port ranges via WebRTC/SDP.
## Mitigation Strategies
- **Prevention**: Uninstalling native Meta applications and using privacy-hardened browsers (e.g., Firefox with "Total Cookie Protection" or Brave) that restrict local network access.
- **Hardening**: Utilizing Android’s "Developer Options" or third-party firewalls (like NetGuard) to restrict background network activity for specific apps.
- **Policy**: Implementing strict "Force Stop" on social media applications when not in use to kill background listeners.
## Related Tools/Techniques
- **Meta Pixel**: The web-based component used for data gathering.
- **SDP Munging**: The specific exploitation of WebRTC protocols to facilitate the local connection.
- **Fingerprinting**: Traditional methods used in conjunction with localhost tracking for higher accuracy.