Security

Massive US/Russian Election Big Tech Spy Operation Exposed by EU

Leave a comment

European security researchers have exposed a cross-platform scheme by US and Russian tech companies to secretly spy on billions of Android users worldwide.

In the disclosure released this week called “Covert Web-to-App Tracking via Localhost on Android“, researchers from European institutions revealed that Facebook/Instagram/Yandex operated covert tracking to completely bypass Android’s privacy protections.

The Smoking Port

The evidence is damning: both companies were using hidden “localhost” connections to link users’ anonymous web browsing to their real identities in mobile apps.

That means when users visited websites—even in private or anonymous browsing mode—Meta Pixel or Yandex tracking scripts would secretly communicate with the Facebook, Instagram, and Yandex apps running in the background on their phones like American/Russian spies, bypassing all privacy protections.

Meta WebRTC techniques would send the `_fbp` cookie from websites to Facebook/Instagram apps listening on UDP ports 12580-12585. Yandex used HTTP/HTTPS requests to send data to Yandex apps listening on ports 29009, 29010, 30102, and 30103. This was possible because Android doesn’t restrict localhost access, as a bridge between the web and local apps.

Scale of the Operation

  • Meta’s tracking on 5.8+ million websites
  • Yandex tracking on nearly 3 million sites
  • Likely harming billions of Android users
  • Worked even when users cleared cookies or used incognito mode

Same Violation by America and Russia

While there’s no evidence yet the American and Russian method was coordinated, both developed exploits for the same Android vulnerability. Here’s the technical evolution that shows the linked progression:

Yandex (Russia) used HTTP-based tracking since February 2017—running for 8 years undetected using obfuscated domains that resolve to localhost (yandexmetrica.com → 127.0.0.1)

Meta (US) then went through a sudden rapid evolution starting September 2024

  • HTTP requests (Sep-Oct 2024) — Same as Yandex
  • WebSocket connections (Nov 2024-Jan 2025)
  • WebRTC STUN with SDP Munging (Nov 2024-present)
  • WebRTC TURN without SDP Munging (May 2025-present)

The fact that Meta started last September with the exact same HTTP method that Russia had been using since 2017 raises obvious questions about a knowledge transfer, shared intelligence, or reverse engineering of Android vulnerabilities.

More to the point, the fact that this surveillance infrastructure was deployed just 2 months before the US Presidential election, using Russian methods, certainly raises questions about whether this was Meta again implicated in election-related surveillance and interference.

When the European researchers went public with these findings both companies immediately ceased the spying operation.

Never Leave a Meta App on Your Phone

This goes beyond privacy rights and into issues of digital sovereignty. Two countries were using private companies for surveillance operations on domestic and foreign citizens’ devices, willfully circumventing consent or disclosure during crucial US elections.

The tracking defeated every privacy protection users thought they had. Given WhatsApp’s massive European user base and end-to-end encryption promises, its omission from this operation raises questions about whether Meta was trying to maintain plausible deniability for their messaging platform while using their social media apps for covert tracking. More likely is that WhatsApp is already so compromised, it doesn’t need another backdoor.

The EU’s researchers didn’t just expose spies—both US and Russian tech giants immediately stopped covert operations after initial public exposure. A business level privacy violation would have had a completely different footprint and reaction, further suggesting this was digital espionage by private tech companies for state control or capture.

We are in discussions with Google to address a potential miscommunication regarding the application of their policies,” a Meta spokesperson told The Register. “Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue.”

Of course Meta, a company founded on the principle of unaccountable abuse, would try to get reporters to blame Google instead of documenting criminals were committing a clear crime.

When you’re secretly listening on localhost ports to harvest browsing data, there’s no “miscommunication” about whether that violates user expectations. Localhost tracking required deliberate technical implementation through apps developed to listen on specific ports, scripts deployed to send data through those channels, and evolving the methods when detection risks increased. There was no policy misunderstanding; only intentional infrastructure for spying.

Most companies fight disclosure or defend practices as legitimate, whereas the instant shutdown suggests they knew this crossed lines… and that the US presidential elections are over.

Europe continues to prove global leadership in digital rights, where advocates and regulators protect and enhance innovation. Independent researchers forcing transparency remain the best allies to regulators, holding Big Tech accountable, because they do not fear whatever flag these corporations fly.

Related:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.