Beware, Android owners: Deleted data may not be gone

If you are selling or giving away an Android phone, beware — your personal data may still be on the device, even if you tried to delete it.

From devices purchased on eBay, researchers from security company Avast were able to recover thousands of photographs, hundreds of email and text messages and even a completed loan application. The researchers were able to restore those files despite the fact that the previous owners of the devices had used the factory reset or “delete all” feature that’s built into most Android phones.

“The amount of personal data we retrieved from the phones was astounding,” said Jude McColgan, Avast’s president of mobile software, in a statement.

As part of their report, Avast researchers purchased 20 phones off eBay. Using what the company said was “readily available recovery software,” the researchers were able to recover some 40,000 photos, including about 250 selfies of nude men; some 1,500 family photos that including children; more than 750 email and text messages; and 250 address book entries. They were also able to uncover the identities of four of the previous owners.

In its press release, Avast noted that on any given day, some 80,000 used smartphones are for sale on eBay.

“Along with their phones, consumers may not realize they are selling their memories and their identities,” said McColgan. “Selling your used phone is a good way to make a little extra money, but it’s potentially a bad way to protect your privacy.”

While alarming, the report wasn’t entirely altruistic. Avast is touting its own Android security software as a way of protecting owners’ privacy when they get rid of their phones. The company’s free Anti-Theft app completely overwrites delete files on the device, making them much more difficult to recover.

Android users can also better protect themselves by turning on the encryption feature that’s built into Android. That feature, which is turned off by default, will encode all the data on the device and protect it with a passcode.

H/T to Cnet.

Photo of Samsung’s Galaxy S 5 phone, courtesy of Samsung.


Tags: , , , , ,


Share this Post

  • JJ

    this is no different than computer hard disks, even after a ‘format’ and re-install of the operating system, most of the original file data is still on the drive, just unlinked, unless you do a massively slow full format that overwrites the whole drive with zeros and can take 12 hours pr longer on a modern large drive.

  • Kaspersky Lab

    @JJ – that’s a good option. Nicolas Brulez, Principal Security Researcher at Kaspersky Lab also suggests that users can do the following if no data encryption is available: reset the phone once and then use the camera to record the roof for instance until the phone runs out of space (or fill the phone memory and SD-card with arbitrary data – e.g. install any games, programs, upload a movie to the SD-card). Make sure that new data is stored at the same location where that data you removed before. It will overwrite all your previous data. Then reset it again. OR to wipe your SD separately, you can also use an USB card reader to mount the SD card as a drive, and securely wipe it with one of free software solutions – e.g. CCleaner with a “Driver wiper” tool included.