Full Report
Meta is known for not taking the privacy of people seriously. It wants to track people and sell the data at all costs. This post is about a mechanism for tracking on Android that bypassed the sandbox restrictions to link what you do in the browser with your real identity even if you never logged into your account. The Meta Pixel is a piece of code to measure the effectiveness of advertising. This is on many, many websites that help track individual users. The Facebook app runs in the background once opened on Android. It opens a listener on a TCP or UDP port on the device. This is not that abnormal for an app to do. The combination of the two above is what causes the issue. When you visit a website that has the Facebook pixel on Android, it will attempt to connect to this port. In particular, it will send the _fbp cookie limited to a particular session. Based upon this cookie, Facebook knows what website this was linked to. Once it's sent to the user app, it now knows who was visiting the site! What's crazy about this is that you could be on a VPN or incognito mode and it still can track you. This has been coined localhost tracking. The captured data includes browsing history, products, registrations on websites and more. The author estimates that fines will be around 164 billion, which is an insane amount. The localhost tracking is an interesting technique! It's sad that this was found in the wild though.
Analysis Summary
# Tool/Technique: Meta "Localhost Tracking" (LocalMess)
## Overview
Localhost tracking is a sophisticated de-anonymization and cross-environment tracking technique discovered in Meta’s Android applications (Facebook and Instagram). This mechanism bypasses mobile OS sandbox restrictions to link a user’s anonymous web browsing activity (even in incognito mode or via VPN) to their authenticated social media identity. It achieves this by establishing a local communication channel between a web browser script and a backgrounded native application.
## Technical Details
- **Type**: Tracking Technique / Privacy Bypass
- **Platform**: Android
- **Capabilities**: Sandbox evasion, cross-app communication, de-anonymization, persistent tracking (bypassing Incognito/VPN).
- **First Seen**: Publicly disclosed June 2025 (Research credited to Tim Vlummens, Narseo Vallina-Rodriguez, et al.).
## MITRE ATT&CK Mapping
- **[TA0040 - Impact]**
- **[T1491 - Data Encapsulation/Exfiltration]**: Using non-standard channels to pass identifiers.
- **[TA0033 - Discovery]**
- **[T1420 - File and Directory Discovery]**: (Contextual) Identifying local listeners.
- **[TA0005 - Evasion]**
- **[T1620 - Reflective Code Loading]**: Deployment of Meta Pixel scripts to facilitate communication.
- **[T1622 - Debugger Evasion]**: Using unconventional ports and WebRTC munging to hide traffic from standard interceptors.
## Functionality
### Core Capabilities
- **Local Listener Establishment**: The native Facebook/Instagram app opens local TCP/UDP listeners on the Android device while running in the background.
- **Web-to-Native Bridge**: The Meta Pixel (JavaScript) embedded in third-party websites attempts to contact these local ports on `127.0.0.1` (localhost).
- **Identifier Synchronization**: The browser script sends the `_fbp` (Facebook Browser) cookie to the native app via the local port.
- **GraphQL Exfiltration**: The native app, which is authenticated to a specific user account, transmits the received `_fbp` cookie to Meta’s servers via a GraphQL mutation, effectively linking the browser session to the user's real identity.
### Advanced Features
- **WebRTC (STUN) SDP Munging**: Uses WebRTC protocols to facilitate the connection between the browser and the local app, bypassing certain browser security policies.
- **Persistence**: The tracking remains effective even if the user is on a VPN (as the traffic is internal to the handset) or using Incognito mode (as the local app provides the persistent identity).
## Indicators of Compromise
- **File Names**: Integrated within the official Facebook and Instagram Android APKs.
- **Network Indicators**:
- `https://www[.]facebook[.]com/tr` (Pixel tracking endpoint)
- `https://graph[.]facebook[.]com/graphql` (Data exfiltration endpoint)
- **Behavioral Indicators**:
- Apps listening on TCP ports `12387` or `12388`.
- Apps listening on UDP ports in the range `12580`–`12585`.
- High frequency of localhost (`127.0.0.1`) connection attempts initiated by the mobile web browser.
## Associated Threat Actors
- **Meta Platforms, Inc.** (Facebook/Instagram): Specifically the advertising and telemetry engineering divisions.
## Detection Methods
- **Behavioral Detection**: Monitoring for Android applications that open local TCP/UDP ports and remain active in the background for extended periods.
- **Traffic Analysis**: Inspecting WebRTC SDP (Session Description Protocol) traffic for "munged" candidates pointing to localhost or private IP ranges.
- **Proxy/Log Analysis**: Identifying requests to `graph[.]facebook[.]com/graphql` that contain `_fbp` identifiers linked to non-browser-originated traffic.
## Mitigation Strategies
- **Prevention Measures**:
- Use browsers that strictly block "Private Network Access" (PNA) to prevent public websites from contacting localhost.
- Revoke "Background Activity" and "Battery Optimization" permissions for Meta applications to prevent background listeners.
- **Hardening**:
- Utilize DNS-based blocking (e.g., Pi-hole, NextDNS) to null-route Meta’s tracking and GraphQL domains.
- Implement mobile firewalls (e.g., NetGuard) to block Meta apps from accessing the network entirely unless in the foreground.
## Related Tools/Techniques
- **CORS/PNA Bypass**: Techniques used to jump the boundary between public web content and private local resources.
- **Fingerprinting**: Conventional browser fingerprinting often used in tandem with this technique to ensure data accuracy.
- **SDK Tracking**: Standard mobile SDK tracking (though this technique is notably more aggressive by bypassing sandbox isolation).