Android apps regularly include third-party tracking SDKs. libraries built by advertising companies, analytics firms, and data brokers that are embedded into apps you install. The app developer may not have written any surveillance code themselves; they just included a popular analytics library that phones home to 15 different servers. This guide shows you how to find those trackers.

The scale of tracking in Android is staggering. A 2023 study of 300 popular Android apps found that 98% contain at least one tracking library. The average app contains three to four separate tracking SDKs sending data to different companies. A single app might have Google Analytics tracking usage, Facebook SDK tracking identity and behavior, Adjust tracking install sources, and Braze tracking push notification engagement, all running in parallel.

Most users have no idea this happens. The official permission system doesn’t distinguish between legitimate uses and tracking uses. An app with “read contacts” permission might legitimately need this for a messaging app, or it might be harvesting your address book for marketing profiles. The app store ratings and descriptions don’t mention tracking. Users must actively audit apps to understand what data is being collected and transmitted.

Table of Contents

• Why Trackers Matter and What They Collect
• Method 1 - Exodus Privacy. Static Analysis
• Method 2 - TrackerControl. Runtime Analysis
• Method 3 - ADB Permission Audit
• Method 4 - Network Traffic Capture
• Method 5 - ClassyShark3xodus. On-Device Static Analysis
• Interpreting Results - What to Do About Trackers
• Removing and Blocking Identified Trackers
• Building Your Own Tracker Detection Workflow
• Related Reading

Why Trackers Matter and What They Collect

Before auditing trackers, understand what they actually do with your data. Different trackers collect different information and serve different purposes.

Advertising networks (Google AdMob, Facebook Audience Network, AppLovin) collect device identifiers, browsing behavior, app usage patterns, and location data. This enables targeted advertising across apps and websites. The information builds profiles used for ad targeting, but individual data points are rarely sold directly, profiles are sold as demographic/behavioral segments.

Analytics services (Firebase, Mixpanel, Amplitude) collect event data about app usage, which features you click, how long you spend in different sections, when you open/close the app. This helps developers understand user behavior but also creates detailed usage patterns that reveal what matters to you.

Install attribution trackers (Adjust, AppsFlyer, Kochava) identify which marketing campaign convinced you to install an app. These trackers follow you across apps, correlating installs with ad exposure to measure marketing effectiveness. This creates cross-app tracking that links your devices and behavioral profiles across services.

Crash reporting (Firebase Crashlytics, Sentry) collects diagnostic data when apps crash. This includes device models, OS versions, and crash details. While less egregious than advertising tracking, it still exfiltrates device fingerprints.

Push notification services (Firebase Cloud Messaging, Braze) collect data about when you receive notifications and whether you click them. This creates engagement metrics used to optimize notification timing and content, they’re learning your notification responsiveness.

The cumulative effect - most popular apps track you through multiple services simultaneously. A single app might be sending device fingerprints to Facebook, usage events to Firebase, install source to Adjust, and crash data to Crashlytics. The intersection of these datasets creates detailed profiles of your technology usage.

Method 1 - Exodus Privacy. Static Analysis

Exodus Privacy (exodus-privacy.eu.org) maintains a database of known Android tracking SDKs. Their scanner analyzes APK files without running them and identifies embedded trackers by matching code signatures.

Web interface

1. Go to reports.exodus-privacy.eu.org
2. Search for any app by package name (e.g., com.instagram.android)
3. The report shows:
   • List of identified trackers with descriptions
   • All permissions requested by the app
   • Network endpoints the app can contact

This is the fastest way to check a specific app before installing it.

Command-line with exodus-standalone

Install
pip3 install exodus-standalone

Download an APK (use APKPure, APKMirror, or extract from device)
Or extract from a device already running the app:
adb shell pm path com.example.app
Returns - package:/data/app/com.example.app-1/base.apk

adb pull /data/app/com.example.app-1/base.apk

Analyze
exodus-standalone -i base.apk

Output shows trackers, permissions, and URLs

Method 2 - TrackerControl. Runtime Analysis

TrackerControl is an Android app that monitors all network traffic from every installed app in real time, without rooting your device. It works by creating a local VPN that routes all traffic through itself for inspection.

Install from F-Droid (strongly preferred over Play Store for this privacy tool): https://f-droid.org/packages/net.kollnig.missioncontrol.fdroid/

Once running:

• Open TrackerControl → Apps tab → select any app → tap to see active tracking domains
• Sort by “Trackers” to see which apps have the most tracker connections
• Tap any tracker to see which company owns it and what data they collect

TrackerControl blocks trackers at the network level. you can toggle blocking per app or per tracker.

What TrackerControl reveals

After running for 24-48 hours, check the “Activity” tab. You’ll typically find:

• Google Analytics/Firebase. nearly universal; collects usage events
• Facebook SDK. sends device fingerprint and app events to Facebook even if you’re not logged in
• Adjust, AppsFlyer, Kochava. install attribution trackers that link your device identity across apps
• Braze. push notification and analytics platform with persistent device IDs
• Crashlytics. crash reporting (lower risk, but still exfiltrates data)

Method 3 - ADB Permission Audit

ADB (Android Debug Bridge) lets you inspect what permissions each app has been granted, including permissions the app holds but doesn’t display in its own settings:

Enable USB debugging on your Android device:
Settings → Developer Options → USB Debugging

Connect via USB and verify connection
adb devices

List all packages with their permissions
adb shell pm list permissions -g -f > all_permissions.txt

Check permissions for a specific package
adb shell dumpsys package com.example.app | grep "permission"

Find apps with dangerous permissions
adb shell pm list packages -f > packages.txt

Check which apps have location permission
adb shell pm list permissions -d | grep -i location

More targeted. find all apps with access to location, contacts, or microphone:

Location-granted apps
adb shell appops query-op android:coarse_location allow
adb shell appops query-op android:fine_location allow

Microphone access
adb shell appops query-op android:record_audio allow

Background location (apps that can track you when not in use)
adb shell dumpsys location | grep "background"

Method 4 - Network Traffic Capture

The most thorough method is capturing network traffic from the phone itself. This shows you actual data being transmitted, not just potential capability.

Using netcapture / PCAPdroid (no root required)

Install PCAPdroid from F-Droid: https://f-droid.org/packages/com.emanuelef.remote_capture/

PCAPdroid captures network traffic using the same local VPN technique as TrackerControl. After capturing, you can:

• Export as PCAP and analyze in Wireshark on your PC
• View connections in-app with app-to-destination mapping
• See payload sizes and transmission frequency

Transfer PCAP from phone to PC
adb pull /storage/emulated/0/PCAPdroid/captures/capture.pcap .

Analyze in tshark
tshark -r capture.pcap -T fields -e ip.dst -e dns.qry.name | sort -u

Analyzing the captured traffic

Look for:

• Connections to known tracking domains (compare against disconnect.me’s tracking protection list)
• Large POST requests immediately after app launch (initial device fingerprint submission)
• Periodic background connections (beacon pings every few minutes)
• Connections to unusual TLDs or random-looking subdomains (may indicate obfuscated tracking)

Download disconnect.me tracker list
curl -O https://raw.githubusercontent.com/nicktacular/dnscrypt-disconnect-me-trackers/master/domains.txt

Cross-reference captured domains
tshark -r capture.pcap -T fields -e dns.qry.name | sort -u > captured_domains.txt
comm -12 <(sort domains.txt) <(sort captured_domains.txt)

Method 5 - ClassyShark3xodus. On-Device Static Analysis

ClassyShark3xodus is an Android app that scans APKs installed on your device and reports embedded trackers, similar to Exodus but running locally:

Available on F-Droid - https://f-droid.org/packages/com.oF2pks.classyshark3xodus/

Launch it, point it at any installed app, and it generates a report of found trackers using the Exodus database. all without sending the APK to a remote server.

Interpreting Results - What to Do About Trackers

Not all trackers are equally bad. A rough hierarchy:

High concern:

• Facebook SDK in an app you don’t associate with your Facebook identity
• Location trackers in apps with no legitimate location need
• Advertising ID collectors in apps marketed as “privacy tools”

Medium concern:

• General analytics (Firebase, Amplitude). collects usage patterns, rarely identifiable PII
• Crash reporters (Crashlytics, Sentry). useful to developers, sends device info on crashes

Lower concern:

• Performance monitoring that stays within the app’s own domain

Actions to take:

Reset your Advertising ID (limits cross-app tracking correlation)
Settings → Google → Ads → Reset advertising ID

For Android 12+ - opt out entirely
Settings → Privacy → Ads → Delete advertising ID

Revoke permissions for apps that don't need them
adb shell pm revoke com.example.app android.permission.ACCESS_FINE_LOCATION

For apps you can't uninstall (system apps), disable them
adb shell pm disable-user --user 0 com.google.android.gms.ads

Removing and Blocking Identified Trackers

Once you’ve identified problematic trackers, take action. For apps you own (installed from your account), you can uninstall them. For apps you don’t own or system apps you can’t remove, disable them using ADB:

Disable system apps that contain trackers
adb shell pm disable-user --user 0 com.google.android.gms.ads
adb shell pm disable-user --user 0 com.facebook.system

Some apps are dependencies; disabling them may break other apps
Test before disabling critical system apps

Use TrackerControl’s blocking features to prevent network access to known tracker endpoints without removing the app. This approach maintains app functionality while preventing data exfiltration.

For sensitive apps (banking, messaging, health), prioritize uninstallation if they contain unexpected trackers. The apps exist to serve you; if they’re simultaneously serving marketing interests at your expense, the trust foundation breaks.

Building Your Own Tracker Detection Workflow

Combine these methods into a systematic approach you run monthly:

1. Run Exodus Privacy against your most important installed apps
2. Check TrackerControl for new tracker domains appearing in activity
3. Use ADB to audit permissions quarterly, focusing on sensitive permissions like location
4. Export PCAPdroid captures if you suspect specific apps of malicious behavior
5. Document findings in a spreadsheet tracking which apps contain which trackers
6. Uninstall apps with unexplained trackers or remove permissions as the first step
7. Re-audit after 30 days to verify trackers are actually blocked

For developers shipping Android apps, this detection methodology reflects what security researchers and privacy advocates will use to evaluate your app. If you’re embedding advertising or analytics SDKs, they’ll be detected. If you’re requesting excessive permissions, they’ll be audited. Building with privacy in mind, minimal dependencies, limited permissions, clear privacy policies, results in apps that pass scrutiny rather than generating negative reviews about tracking.

Related Articles

• Android App Permissions Audit Guide 2026
• Privacy Risks of Period Tracking Apps 2026
• Android Privacy Dashboard How To Use It To Audit App Access
• How to Audit Android App Permissions Privacy Guide 2026
• iOS App Tracking Transparency Explained 2026
• AI Coding Assistant Session Data Lifecycle Built by theluckystrike. More at zovo.one

Frequently Asked Questions

How long does it take to detect hidden trackers in android?

For a straightforward setup, expect 30 minutes to 2 hours depending on your familiarity with the tools involved. Complex configurations with custom requirements may take longer. Having your credentials and environment ready before starting saves significant time.

What are the most common mistakes to avoid?

The most frequent issues are skipping prerequisite steps, using outdated package versions, and not reading error messages carefully. Follow the steps in order, verify each one works before moving on, and check the official documentation if something behaves unexpectedly.

Do I need prior experience to follow this guide?

Basic familiarity with the relevant tools and command line is helpful but not strictly required. Each step is explained with context. If you get stuck, the official documentation for each tool covers fundamentals that may fill in knowledge gaps.

Is this approach secure enough for production?

The patterns shown here follow standard practices, but production deployments need additional hardening. Add rate limiting, input validation, proper secret management, and monitoring before going live. Consider a security review if your application handles sensitive user data.

Where can I get help if I run into issues?

Start with the official documentation for each tool mentioned. Stack Overflow and GitHub Issues are good next steps for specific error messages. Community forums and Discord servers for the relevant tools often have active members who can help with setup problems.