Nude pics, other data, recovered from 'wiped' Android phones purchased on eBay

Share this article:
HackingTeam tool makes use of mobile malware targeting all major platforms
Researchers purchased "wiped" Android smartphones on eBay, but were still able to restore the personal data.

Restoring Android smartphones to default, or erasing the memory, will not stop attackers from recovering personal information and possibly using it for nefarious purposes, AVAST researchers found after purchasing 20 "wiped" devices on eBay and digging up, altogether, more than 40,000 individual bits of data.

Although there was some overlap, AVAST purchased a variety of devices, including the HTC One X for AT&T, HTC EVO 4G, HTC ThunderBolt ADR6400L for Verizon, HTC Sensation 4G, Samsung Galaxy S2 from Sprint, Samsung Galaxy S3, Samsung Galaxy S4 for AT&T, LG Optimus L9 P769, and Motorola Droid RAZR MAXX XT912.

From all of those devices, more than 40,000 photographs were recovered, according to a Tuesday post. More than 1,500 pictures were family photos of children, more than 750 were nude photos of women, and more than 250 were “selfies” of male genitals presumably taken by the previous owner.

Additionally, more than a thousand Google searches, more than 750 emails and text messages, more than 250 contact names and email addresses, and four identities of previous owners were also recovered, as well as a completed loan application.

No business data or company information was recovered, Jaromír Hořejší, malware analyst with AVAST, told SCMagazine.com in a Tuesday email correspondence.

“We recovered some compromising photos, which may cause significant problems and embarrassment [if] someone published them or used [them] for blackmailing,” Hořejší said. “If some recovered documents contained, for example, passwords, it then may of course lead to identity theft.”

Sensitive information can be recovered from Android smartphones because deleting a file the “regular way” only results in a reference to the file being deleted and the area being marked as free, Hořejší said. In actuality, the entire file just remains where it is until overwritten by something else.

“In a nutshell, first we rooted all the phones, then we cloned 'data' or 'userdata' partitions, then we searched for known patterns and file format signatures, [such as] pictures, databases, coordinates, [and] Facebook chats,” Hořejší said. “All interesting data was recovered from 'data' or 'userdata' partitions. Sometimes the data was stored on the external memory card.”

Page 1 of 2
Share this article:

Sign up to our newsletters

More in News

DDoS attacks remain up, stronger in Q2, report says

DDoS attacks remain up, stronger in Q2, report ...

Prolexic's second quarter DDoS report noted the proliferation of shorter attacks that ate up more bandwidth.

Superman soars above fellow superheroes as most toxic search term

A McAfee study found that searches pertaining to Superman exposed users to the most infected websites.

Black Hat talk on Tor weaknesses canceled

Black Hat organizers say legal counsel for the Software Engineering Institute and Carnegie Mellon University nixed the session.