Android smartphone reset doesn't wipe your personal info — including any nude selfies

Summary:Businesses beware — Avast says vast amounts of personal data and photos can be recovered from second-hand Android smartphones even if users have re-set them to factory condition.

Avast bought 20 Android smartphones on eBay in the US to see if its staff could recover data from "wiped" smartphones, including those reset to factory condition.

It turns out that they could.

ZDNet--Avast_finds- (200 x 257)

The security company recovered more than 40,000 photos, 750 emails and texts, 250 names and addresses, the identities of four previous owners, and a completed loan application, among other things.

The photos included "more than 750 photos of women in various stages of undress" and "more than 250 selfies of what appear to be the previous owner's manhood", according to Avast's president of mobile, Jude McColgan.

"Images, emails, and other documents deleted from phones can be exploited for identity theft, blackmail, or for even stalking purposes," McColgan said in a press release. "Selling your used phone is a good way to make a little extra money, but it’s potentially a bad way to protect your privacy."

With large numbers of Android phones now used by businesses, it's also a threat to company data. Nowadays, this may well include banking data.

There were many similar exercises in a previous century, where companies recovered data from PCs that had been scrapped but not properly wiped. Many or perhaps most businesses are now aware that deleted files on PCs are not securely deleted and that it's necessary to overwrite hard drives to make data very difficult if not impossible to recover. The same thing now applies to Android phones.

At the moment, relatively few people are familiar with the sort of forensic software that can recover data from reset phones. Examples include the Oxygen Forensic Suite and AccessData's Forensic Toolkit (FTK). However, this is likely to change as more users need to recover data that they have deleted by accident.

Avast has a vested interest in the topic, because its portfolio of security software includes programs for Android phones. However, in this case, Avast's suggested solution — its Anti-Theft app — is free on Google Play.

Avast advises users to install its Anti-Theft app "and then use the thorough wipe feature to permanently delete and overwrite all files on the device, thus making personal data irretrievable". This stealth app also enables users to remotely lock or wipe a stolen phone, but you need the paid-for version ($1.99 a month or $14.99 a year) to retrieve personal data before wiping it.

There are several alternative apps that will wipe an Android mobile phone. These include Nuke My Phone, Cerberus anti theft, and the premium version of GFI's Vipre Mobile.

In an earlier experiment, in 2012, McAfee's Robert Siciliano bought 30 devices on Craigslist and found that BlackBerry and Apple iOS devices deleted data effectively when users followed the manufacturer's directions to restore the factory settings. He recommended not reselling Android smartphones and PCs running Windows XP.

"Put it in the back of a closet, or put it in a vice and drill holes in the hard drive, or if you live in Texas take it out into a field and shoot it," he told the LA Times. "You don't want to sell your identity for 50 bucks."

Read more on Android

Topics: Smartphones, Security

About

Jack Schofield spent the 1970s editing photography magazines before becoming editor of an early UK computer magazine, Practical Computing. In 1983, he started writing a weekly computer column for the Guardian, and joined the staff to launch the newspaper's weekly computer supplement in 1985. This section launched the Guardian’s first webs... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.