Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Nude pics, other data, recovered from ‘wiped’ Android phones purchased on eBay

Restoring Android smartphones to default, or erasing the memory, will not stop attackers from recovering personal information and possibly using it for nefarious purposes, AVAST researchers found after purchasing 20 "wiped" devices on eBay and digging up, altogether, more than 40,000 individual bits of data.

Although there was some overlap, AVAST purchased a variety of devices, including the HTC One X for AT&T, HTC EVO 4G, HTC ThunderBolt ADR6400L for Verizon, HTC Sensation 4G, Samsung Galaxy S2 from Sprint, Samsung Galaxy S3, Samsung Galaxy S4 for AT&T, LG Optimus L9 P769, and Motorola Droid RAZR MAXX XT912.

From all of those devices, more than 40,000 photographs were recovered, according to a Tuesday post. More than 1,500 pictures were family photos of children, more than 750 were nude photos of women, and more than 250 were “selfies” of male genitals presumably taken by the previous owner.

Additionally, more than a thousand Google searches, more than 750 emails and text messages, more than 250 contact names and email addresses, and four identities of previous owners were also recovered, as well as a completed loan application.

No business data or company information was recovered, Jaromír Hořejší, malware analyst with AVAST, told in a Tuesday email correspondence.

“We recovered some compromising photos, which may cause significant problems and embarrassment [if] someone published them or used [them] for blackmailing,” Hořejší said. “If some recovered documents contained, for example, passwords, it then may of course lead to identity theft.”

Sensitive information can be recovered from Android smartphones because deleting a file the “regular way” only results in a reference to the file being deleted and the area being marked as free, Hořejší said. In actuality, the entire file just remains where it is until overwritten by something else.

“In a nutshell, first we rooted all the phones, then we cloned 'data' or 'userdata' partitions, then we searched for known patterns and file format signatures, [such as] pictures, databases, coordinates, [and] Facebook chats,” Hořejší said. “All interesting data was recovered from 'data' or 'userdata' partitions. Sometimes the data was stored on the external memory card.”

Is data just as recoverable from Apple's devices?

AVAST did not analyze any iPhones, but Tomas Zeman, mobile product manager with AVAST, told in a Tuesday email correspondence that devices running iOS have a much more complicated recovery process – depending on the version of iOS.

“Generally speaking, iOS forensics is much harder to do than Android [forensics], as you have to deal with encryption, [meaning] more skills are needed to recover any data,” Zeman said. “If [iOS] does not encrypt the files, you can be somewhat successful in recovering some data using a similar technique as used for Android phones.”

After looking through the research, Zeman said he is pretty surprised at the weak factory reset option used by most Android smartphone manufacturers, particularly because more than 80,000 used smartphones are listed for sale each day on eBay and other similar websites.

But the feelings were mixed within AVAST.

“I am not surprised,” Hořejší said. “In the past, I have recovered – several times – data supposedly deleted from hard discs, memory cards, USB drives, [and more;] thus it is not surprising for me that I recovered something from smartphones.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.