Android smartphone reset doesn't wipe your personal info — including any nude selfies

Android smartphone reset doesn't wipe your personal info — including any nude selfies

Summary: Businesses beware — Avast says vast amounts of personal data and photos can be recovered from second-hand Android smartphones even if users have re-set them to factory condition.


Avast bought 20 Android smartphones on eBay in the US to see if its staff could recover data from "wiped" smartphones, including those reset to factory condition.

It turns out that they could.

ZDNet--Avast_finds- (200 x 257)

The security company recovered more than 40,000 photos, 750 emails and texts, 250 names and addresses, the identities of four previous owners, and a completed loan application, among other things.

The photos included "more than 750 photos of women in various stages of undress" and "more than 250 selfies of what appear to be the previous owner's manhood", according to Avast's president of mobile, Jude McColgan.

"Images, emails, and other documents deleted from phones can be exploited for identity theft, blackmail, or for even stalking purposes," McColgan said in a press release. "Selling your used phone is a good way to make a little extra money, but it’s potentially a bad way to protect your privacy."

With large numbers of Android phones now used by businesses, it's also a threat to company data. Nowadays, this may well include banking data.

There were many similar exercises in a previous century, where companies recovered data from PCs that had been scrapped but not properly wiped. Many or perhaps most businesses are now aware that deleted files on PCs are not securely deleted and that it's necessary to overwrite hard drives to make data very difficult if not impossible to recover. The same thing now applies to Android phones.

At the moment, relatively few people are familiar with the sort of forensic software that can recover data from reset phones. Examples include the Oxygen Forensic Suite and AccessData's Forensic Toolkit (FTK). However, this is likely to change as more users need to recover data that they have deleted by accident.

Avast has a vested interest in the topic, because its portfolio of security software includes programs for Android phones. However, in this case, Avast's suggested solution — its Anti-Theft app — is free on Google Play.

Avast advises users to install its Anti-Theft app "and then use the thorough wipe feature to permanently delete and overwrite all files on the device, thus making personal data irretrievable". This stealth app also enables users to remotely lock or wipe a stolen phone, but you need the paid-for version ($1.99 a month or $14.99 a year) to retrieve personal data before wiping it.

There are several alternative apps that will wipe an Android mobile phone. These include Nuke My Phone, Cerberus anti theft, and the premium version of GFI's Vipre Mobile.

In an earlier experiment, in 2012, McAfee's Robert Siciliano bought 30 devices on Craigslist and found that BlackBerry and Apple iOS devices deleted data effectively when users followed the manufacturer's directions to restore the factory settings. He recommended not reselling Android smartphones and PCs running Windows XP.

"Put it in the back of a closet, or put it in a vice and drill holes in the hard drive, or if you live in Texas take it out into a field and shoot it," he told the LA Times. "You don't want to sell your identity for 50 bucks."

Read more on Android

Topics: Smartphones, Security

Jack Schofield

About Jack Schofield

Jack Schofield spent the 1970s editing photography magazines before becoming editor of an early UK computer magazine, Practical Computing. In 1983, he started writing a weekly computer column for the Guardian, and joined the staff to launch the newspaper's weekly computer supplement in 1985. This section launched the Guardian’s first website and, in 2001, its first real blog. When the printed section was dropped after 25 years and a couple of reincarnations, he felt it was a time for a change....

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Broken platform with full of security holes...

    Android must not be allowed in a 5 mile radius of any enterprise.
    • Hear hear!

      Hear hear! And don't even think about letting iPhones in. Heck, that thing can get compromised just by having a network connection! No smartphones for businesses!
    • Sounds like another way of saying... should be a criminal offense to carry an Android device anywhere (there aren't many populated areas that are more than five miles from a commercial establishment). I don't think this one will pass.
      John L. Ries
    • Do some research on SSDs in general

      Since flash memory is flash memory despite the brand name attached.

      And stop acting trollish. This is far more than just an Android issue.

      After all, it's harder to root certain Android phones, whereas iOS and "alpine" or "dottie" are ubiquitous, as well as plain text/non-encrypted data...

      Pot, meet kettle.
    • Owls never sleep

      Seems that Owls never sleep. I suppose Owls use WP8 for higher security. No one steals them, or reuses them, and thus higher security. We get it ;)
    • Fowlnet must never be in 5 miles of a valid logical arguement!

      but it hasn't happened yet so I'm guessing it never will.
  • It makes sense, I suppose

    Google makes it's money from your personal data, so they are great at collecting it.

    It's just that they haven't learned how to get rid of it, as they never had any desire to do so.
    • my guess is

      Avast used the same trick that allows people to read data from a formated SD card. Just because you delete/format something doesn't mean there's no way to recover it.
    • micsoft have been trying to.

      MS have tried long and hard to make money from advertising and personal data.. they just can't get enough people to use their search engine so it isn't turning a profit for them.. but they keep trying.. does it make them any better than any of the others in that regard? lets remember that they are twice convicted predatory monopolists shall we? Thinking about the rights of others has been something they have been penalised billions of dollars for NOT doing.
  • If you have data you don't want others to recover...'s always best to wipe the files yourself.
    John L. Ries
    • Good reminder to install a wipe utility

      I'm going to try out SecureWipe. Runs no ads and the only permissions demanded are "modify or delete the contents of your USB storage", and "test access to protected storage".

      I have enough apps that want access to my contact list, thank you.
      John L. Ries
    • So you say the obviouos but lack the actual details

      Meaning you don't know?

      You can delete files, and wipe a HDD, but if you knew anything about flash memory or SSDs, you wouldn't indiscriminately use a drive partition eraser because flash ROM doesn't work the same way... to say the very least.
  • Ya But,

    IT'S FREE!


  • Should be encrypted

    All the data on the phone should be encrypted so it really doesn't matter if it's wiped completely. Once that key is removed, it shouldn't even be bootable without a new key and install.
    Buster Friendly
    • +1

      I don't know about the others, but that's how ios works

      All data stored on solid state memory should be encrypted.
      • It's BIOS level

        It's a BIOS level thing and not an OS thing. The first one I used that did it was a Blackberry.
        Buster Friendly
      • WP to

        Another thing Microsoft did good was to follow the Apple model there. WP is encrypted with BitLocker out of the box. Of course like the iPhone, if you don't at least pin lock the phone then the storage encryption is useless.
    • iPhone encrypts by default; it's an option with Android (& BlackBerry, etc)

      So encrypt your device.
  • sounds more like they did an image dump of the flash.

    bypassing all file service provided.

    A "delete all" is not the same thing as a wipe.