~ Many users forget to delete their data
and while 40% of the phones purchased from pawn shops had been factory reset, user
data continues to be accessible ~
REDWOOD
CITY, Calif., February 23, 2016 – Avast
Software, maker of the most trusted security in the world, was able to
identify sensitive personal data on used phones sold in pawn shops. For the
experiment, Avast purchased 20 used smartphones — five devices each in New
York, Paris, Barcelona and Berlin — and used widely available free recovery
software to detect the data found on the devices. As a result, Avast retrieved
more than 2,000 personal photos, emails, text messages, invoices and one video containing
adult content from the phones that the prior owner assumed was deleted. On two
of the phones, the previous owners had forgotten to log out of their Gmail
accounts, risking having the new owners read or send emails in their name.
Avast performed a similar experiment two
years ago with used phones that were sold by consumers online in the U.S. and
found more than 40,000 personal photos, emails and text messages. Unfortunately,
this year’s results highlight that even though smartphone technology is
progressing, consumers still lack awareness around how to protect their
sensitive personal data.
Because all the phones in this experiment came
from pawn shops, Avast was able to consult with the shop owners prior to
purchase. While each shop owner assured the buyer that the phones had been
factory reset and that all data from previous owners had been wiped clean, Avast
found that twelve weren’t. Of the phones that were factory reset, 50 percent
still contained personal data as they were running an outdated version of
Android that had an improperly functioning factory reset feature. Some of the previous owners only deleted their
files without doing a factory reset. However, this doesn’t mean that the files
were removed completely - only the reference to the file was deleted. Other
phone owners simply forgot to delete their data or do a factory reset.
While an original owner who sells an old
phone to a pawn shop might take the necessary precautions to rid the phone of
data, it’s unlikely that a seller who found or stole the phone, for example,
prior to pawning it would take these same steps (and as we know, lost phones can
end up in pawn shops).
Scenarios such as these highlight both the responsibility of shop owners to
properly wipe and reset phones prior to sale, and also the need for phone
owners to utilize anti-theft software in the chance their phone is lost or
stolen, in order to remotely wipe the data. “New Android phones are pretty safe
when it comes to the factory reset, but used phones with older Android versions
that have a less thorough reset feature are still being sold,” said Gagan
Singh, president of mobile at Avast Software.
“Through our research, we noticed that some
people simply forget to delete their personal data and perform the factory reset
before selling the device. To ensure that all data is removed, a user needs to
overwrite the phone’s files. Without this, a user’s personal data could easily
end up in the hands of the next owner of the phone. In the end, users are
responsible for cleaning all sensitive and personal data from their devices
prior to sale, and they should never rely on a shop owner to remove remaining
data prior to reselling the phones.”
Avast researchers were able to recover the
following files from the 20 phones:
- More than 1,200 photos
- More than 200 photos with adult content
- 149 photos of children
- More than 300 emails and text messages
- More than 260 Google searches, including
170 searches for adult content
- Two previous owners’ identities
- Three invoices
- One working contract
- One adult video
“If you sell your phone, make sure you
don’t sell your identity and personal data in the same move,” added Singh. “If
your personal data gets into the wrong hands, it can be easily exploited for
identity theft or blackmail, and explicit content could be uploaded to the Web.
We know many of our users dislike the idea of strangers viewing their photos,
so they should take the time to ensure their sensitive data is removed from
their phones prior to selling them.”
Avast advises consumers interested in
selling their used Android devices to first install the free Avast Anti-Theft
app and then use the thorough wipe feature to permanently delete and overwrite
all files on the device, thus making personal data irretrievable. Avast
Anti-Theft can be downloaded for free from Google Play.