Nude pics, other data, recovered from 'wiped' Android phones purchased on eBay

Share this article:
HackingTeam tool makes use of mobile malware targeting all major platforms
Researchers purchased "wiped" Android smartphones on eBay, but were still able to restore the personal data.

Restoring Android smartphones to default, or erasing the memory, will not stop attackers from recovering personal information and possibly using it for nefarious purposes, AVAST researchers found after purchasing 20 "wiped" devices on eBay and digging up, altogether, more than 40,000 individual bits of data.

Although there was some overlap, AVAST purchased a variety of devices, including the HTC One X for AT&T, HTC EVO 4G, HTC ThunderBolt ADR6400L for Verizon, HTC Sensation 4G, Samsung Galaxy S2 from Sprint, Samsung Galaxy S3, Samsung Galaxy S4 for AT&T, LG Optimus L9 P769, and Motorola Droid RAZR MAXX XT912.

From all of those devices, more than 40,000 photographs were recovered, according to a Tuesday post. More than 1,500 pictures were family photos of children, more than 750 were nude photos of women, and more than 250 were “selfies” of male genitals presumably taken by the previous owner.

Additionally, more than a thousand Google searches, more than 750 emails and text messages, more than 250 contact names and email addresses, and four identities of previous owners were also recovered, as well as a completed loan application.

No business data or company information was recovered, Jaromír Hořejší, malware analyst with AVAST, told SCMagazine.com in a Tuesday email correspondence.

“We recovered some compromising photos, which may cause significant problems and embarrassment [if] someone published them or used [them] for blackmailing,” Hořejší said. “If some recovered documents contained, for example, passwords, it then may of course lead to identity theft.”

Sensitive information can be recovered from Android smartphones because deleting a file the “regular way” only results in a reference to the file being deleted and the area being marked as free, Hořejší said. In actuality, the entire file just remains where it is until overwritten by something else.

“In a nutshell, first we rooted all the phones, then we cloned 'data' or 'userdata' partitions, then we searched for known patterns and file format signatures, [such as] pictures, databases, coordinates, [and] Facebook chats,” Hořejší said. “All interesting data was recovered from 'data' or 'userdata' partitions. Sometimes the data was stored on the external memory card.”

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.