Selling Your Smartphone Could Mean Selling Your Identity. Avast Finds Used Smartphones Still Contain Personal Information and Data

~ Many users forget to delete their data and while 40% of the phones purchased from pawn shops had been factory reset, user data continues to be accessible ~

REDWOOD CITY, Calif., February 23, 2016Avast Software, maker of the most trusted security in the world, was able to identify sensitive personal data on used phones sold in pawn shops. For the experiment, Avast purchased 20 used smartphones — five devices each in New York, Paris, Barcelona and Berlin — and used widely available free recovery software to detect the data found on the devices. As a result, Avast retrieved more than 2,000 personal photos, emails, text messages, invoices and one video containing adult content from the phones that the prior owner assumed was deleted. On two of the phones, the previous owners had forgotten to log out of their Gmail accounts, risking having the new owners read or send emails in their name.

Avast performed a similar experiment two years ago with used phones that were sold by consumers online in the U.S. and found more than 40,000 personal photos, emails and text messages. Unfortunately, this year’s results highlight that even though smartphone technology is progressing, consumers still lack awareness around how to protect their sensitive personal data.

Because all the phones in this experiment came from pawn shops, Avast was able to consult with the shop owners prior to purchase. While each shop owner assured the buyer that the phones had been factory reset and that all data from previous owners had been wiped clean, Avast found that twelve weren’t. Of the phones that were factory reset, 50 percent still contained personal data as they were running an outdated version of Android that had an improperly functioning factory reset feature.  Some of the previous owners only deleted their files without doing a factory reset. However, this doesn’t mean that the files were removed completely - only the reference to the file was deleted. Other phone owners simply forgot to delete their data or do a factory reset.

While an original owner who sells an old phone to a pawn shop might take the necessary precautions to rid the phone of data, it’s unlikely that a seller who found or stole the phone, for example, prior to pawning it would take these same steps (and as we know, lost phones can end up in pawn shops). Scenarios such as these highlight both the responsibility of shop owners to properly wipe and reset phones prior to sale, and also the need for phone owners to utilize anti-theft software in the chance their phone is lost or stolen, in order to remotely wipe the data. "New Android phones are pretty safe when it comes to the factory reset, but used phones with older Android versions that have a less thorough reset feature are still being sold," said Gagan Singh, president of mobile at Avast Software.

"Through our research, we noticed that some people simply forget to delete their personal data and perform the factory reset before selling the device. To ensure that all data is removed, a user needs to overwrite the phone’s files. Without this, a user’s personal data could easily end up in the hands of the next owner of the phone. In the end, users are responsible for cleaning all sensitive and personal data from their devices prior to sale, and they should never rely on a shop owner to remove remaining data prior to reselling the phones."

Avast researchers were able to recover the following files from the 20 phones:

  • More than 1,200 photos
  • More than 200 photos with adult content
  • 149 photos of children
  • More than 300 emails and text messages
  • More than 260 Google searches, including 170 searches for adult content
  • Two previous owners’ identities
  • Three invoices
  • One working contract
  • One adult video

"If you sell your phone, make sure you don’t sell your identity and personal data in the same move," added Singh. "If your personal data gets into the wrong hands, it can be easily exploited for identity theft or blackmail, and explicit content could be uploaded to the Web. We know many of our users dislike the idea of strangers viewing their photos, so they should take the time to ensure their sensitive data is removed from their phones prior to selling them."

Avast advises consumers interested in selling their used Android devices to first install the free Avast Anti-Theft app and then use the thorough wipe feature to permanently delete and overwrite all files on the device, thus making personal data irretrievable. Avast Anti-Theft can be downloaded for free from Google Play.