Android phones ship with tracking turned on from the first boot. Pre-installed Google services quietly log identifiers, send telemetry and connect to advertising networks before users open a single app. A free tool from a French nonprofit now puts hard numbers on that activity. It scans every installed application and lists the trackers embedded inside.
The app is called Exodus. Developed by Exodus Privacy, it pulls reports from a public database of more than 50,000 analyzed Android packages. Results appear in seconds. One popular weather app might contain five trackers. A fitness program could phone home to three analytics firms. The numbers surprise even experienced users.
Short. Direct. And sobering.
But the story runs deeper. A March 2025 study from Trinity College Dublin found Google Play Services and the Play Store store advertising cookies and device identifiers with no consent and no opt-out. Tracking begins the moment the device powers on. Researchers Doug Leith and others documented the behavior in a paper that Google has not publicly disputed in detail. Forbes reported the findings.
So users face two problems at once. System-level collection from Google. And third-party trackers baked into the apps they choose to install. Exodus makes both visible.
The tool works without sending any data from the phone. It compares installed apps against the Exodus database, which security researchers update through static analysis. Trackers include Google Firebase Analytics, Facebook Login, Adjust, AppsFlyer, Crashlytics and dozens more. Each entry links to a profile explaining what data the tracker typically collects and where it sends the information.
One recent analysis of popular apps showed social media titles averaging eight trackers each. Shopping apps often contain six. Even some banking applications include analytics libraries that transmit usage patterns. The data adds up. Devices on default settings transmit 12 to 20 megabytes of telemetry daily, according to 2025 measurements cited in privacy guides.
And the practice continues. In January 2026, Help Net Security highlighted TrackerControl, another open-source Android application that monitors network traffic locally and blocks unwanted connections. Unlike Exodus, which focuses on static detection of embedded libraries, TrackerControl watches live behavior. The two tools complement each other. Help Net Security described its local analysis approach.
Google’s own privacy improvements have limits.
Android 16 and 17 introduced temporary location permissions, permission auto-reset for unused apps and better indicators when location is accessed. Google also promised to restrict cross-app tracking over several years. Yet default settings still favor data collection. Ad personalization remains enabled unless users manually disable it. Location history prompts appear during initial setup.
Researchers point out the tension. Google touts new AI-powered threat detection and biometric requirements for lost devices. At the same time its core services embed identifiers that feed advertising systems. The Trinity College paper noted that Play Services and the Play Store silently store data even if users never launch those apps.
Exodus Privacy operates as a nonprofit. Its database remains open. The organization publishes regular reports and maintains a website where anyone can look up an app before installation. The mobile client simply brings that information to the device in a clean list. No account required. No data leaves the phone.
Users who run the app often discover surprises. A flashlight application with three trackers. A note-taking tool phoning home to a Chinese analytics firm. Games packed with ad networks that rebuild user profiles across titles. The reports also show permissions requested. Many apps ask for contacts, microphone access or precise location when those capabilities have little to do with core functions.
But knowledge alone changes little. The real power comes when users act on the information. They can uninstall high-tracker apps. They can seek alternatives listed in privacy communities. Or they can install tools that block connections at the network level. TrackerControl, available on F-Droid and GitHub, lets users create rules that stop traffic to known tracker domains without routing data through external servers.
Industry observers note the shift. Apple forced apps to ask for tracking permission starting with iOS 14. Google has moved more slowly. Its Privacy Sandbox project on Android aims to replace the advertising ID with privacy-preserving mechanisms. Progress has been incremental. In the meantime millions of users remain unaware how much leaves their devices.
Recent coverage reinforces the pattern. A PCMag article examined 20 popular apps and found many collect far more personal data than necessary. Games such as Candy Crush Saga and Roblox appeared on the list alongside social media giants. Meta applications shared the highest percentage of data with third parties. PCMag laid out the numbers.
Google’s May 2026 security blog highlighted new live threat detection and temporary precise location sharing. These features help. They do not address the baseline telemetry or the trackers inside third-party code. Android 17 will add dynamic signal monitoring and improved location transparency. Useful additions. Still reactive.
The Exodus app itself practices what it preaches. It contains no trackers. The organization funds its work through donations and grants. Its reports have been cited in academic papers and regulatory filings. European privacy advocates use the database to pressure developers to remove unnecessary libraries.
So what should informed users do? Run Exodus first. Review the tracker count for every regularly used app. Cross-check with TrackerControl for live behavior. Disable ad personalization in Google settings. Reset the advertising ID. Turn off location history. Use the Privacy Dashboard to monitor permission access. Consider sideloading privacy-focused alternatives from F-Droid.
None of this eliminates risk completely. The modern Android experience depends on Google services. Yet visibility changes the equation. When users see the exact libraries reaching out to Facebook, Google, Adjust or Unity, they make sharper decisions.
The data trail starts the instant the phone turns on. It grows with every app installed. Tools like Exodus and TrackerControl hand control back. They won’t make headlines like flashy AI features. Their value lies in quiet, precise information. For professionals who manage fleets of devices, advise executives or simply value their own data, that information proves decisive.
Tracking will not disappear. The business model depends on it. But informed users can reduce the volume, limit the scope and choose apps that respect boundaries. One free scanner makes the invisible visible. The rest is up to the person holding the phone.


WebProNews is an iEntry Publication