An international team of researchers have discovered that Facebook was secretly spying on the web browsing of Android users, including those with Samsung Galaxy phones, since last September. It only stopped when the research was made public by the team.

What’s alarming is that this covert method bypassed the privacy actions many users typically take, such as browsing in Incognito Mode or clearing cookies. It also left the door open for malicious apps to similarly spy on users’ web browsing activities.

As long as users were logged into the Facebook or Instagram apps on their phone, all browsing history could be linked to their account. This enabled Meta, Facebook’s parent company, to serve more targeted ads.

This involved the clever use of Meta Pixel, an external tracking tool that’s installed on over 5.8 million websites. The pixel is installed on websites to deliver targeted ads through Meta’s apps. For example, if you browsed for a pair of shoes on a brand’s website, it can target you with their ads inside the Facebook or Instagram apps.

Meta built a system that enabled its Android apps to pull browsers’ metadata, cookies, and commands from the pixel embedded on websites. It exploited a feature that lets Android apps run a server to exchange files. The scripts would load on users’ browsers and silently connect with Meta apps on the device using localhost sockets.

This made it possible for Meta to link web browsing sessions and web cookies to user identities, as users were logged into its apps, thereby removing the anonymity for users who visit sites embedded with the Pixel. Gunes Acar, one of the researchers on the team that discovered this, highlighted that “Meta has never told this, neither to users and to owners of websites with such a tracking program.”

Google is understandably not pleased. “This is a flagrant violation of our security and privacy policy,” it said, adding that an update for Chrome is in the pipeline to stop this practice. App developers are required to comply with Google’s policies to have their apps on the Play Store. Meta needs to abide by these rules as well, and the company has said it’s in talks with Google over the “misunderstanding in applying Google’s policy.”

The researchers have found that Meta has almost completely removed all of the code that enabled this spying, but only after they made their findings public. It’s clearly a case of asking for forgiveness instead of permission, and a stark reminder that companies that make their bread and butter selling ads online will do everything in their power to track users through any means necessary.