Security News

Avast finds personal data on phones sold at pawn shops [Infographic]

Deborah Salmi, 24 February 2016

Avast mobile researchers bought 20 use smartphones from pawn shops around the world and found personal data on them after they were reset.

Many people sell their used smartphones but fail to ensure their personal data is wiped away.

Avast mobile security researchers bought phones from pawn shops: Five devices each in New York, Paris, Barcelona, and Berlin — and by using widely available free recovery software, detected data still on the "cleaned" devices. Avast retrieved more than 2,000 personal photos, emails, text messages, invoices, and one adult video.

infographic pawn shop phones for sale Install Avast Anti-Theft from the Google Play Store for free

Getting rid of your phone?
Wipe it clean with Avast Anti-Theft.

A year and half ago, Avast mobile security researchers bought 20 used phones from online consumer-to-consumer sites, like eBay and Amazon, in the USA. Using easily available recovery software, they were able to access more than 40,000 personal photos, emails, and text messages.

Since then, smartphone technology has progressed and numerous educational articles have been published to inform people about cleaning their phones before selling, so we wanted to see what would happen if we did a similar experiment now.

Not much changes...

Because all the smartphones in this experiment came from pawn shops, Avast researchers were able to consult with the shop owners prior to purchasing the phones. Each shop owner assured them that the phones had been factory reset and that all data from previous owners was wiped clean. Avast found otherwise. Twelve of the supposedly clean phones were not clean at all.

Avast retrieved more than 2,000 personal photos, emails, text messages, invoices, and one adult video from the phones that the prior owner assumed was deleted. On two of the phones, the previous owners had forgotten to log out of their Gmail accounts, risking having the new owners read or send emails in their name.

Avast researchers were able to recover the following files from the 20 phones:

  • More than 1,200 photos
  • More than 200 photos with adult content
  • 149 photos of children
  • More than 300 emails and text messages
  • More than 260 Google searches, including 170 searches for adult content
  • Two previous owners’ identities
  • Three invoices
  • One working contract
  • One adult video

Why did these phones still have data on them?

Of the phones that were factory reset, 50 percent still contained personal data because the previous owner was running an outdated version of Android that had an improperly functioning factory reset feature. Some of the previous owners only deleted their files without doing a factory reset. However, this doesn’t mean that the files were removed completely - only the reference to the file was deleted. Other phone owners simply forgot to delete their data or do a factory reset. The possibility that some of these phones were lost and not wiped clean of data before they arrived at the pawn shop also exists.

Scenarios such as these highlight both the responsibility of shop owners to properly wipe and reset phones prior to sale, and also the need for phone owners to utilize anti-theft software in the chance their phone is lost or stolen, in order to remotely wipe the data.

“New Android phones are pretty safe when it comes to the factory reset, but used phones with older Android versions that have a less thorough reset feature are still being sold,” said Gagan Singh, president of mobile at Avast Software.

How to make sure you don’t sell your identity along with your old phone

If you are selling a phone with an older version of Android (version 4.3 is the last one where factory reset did not work properly for some devices), then you cannot depend on the factory reset to ensure your personal data is wiped clean. Deleting files from your Android phone before selling it or giving it away is also not enough to ensure against identity theft. You need to overwrite your files, making them irretrievable. To do so, install Avast Anti-Theft from the Google Play Store for free.

Your mobile device must be connected to your Avast account at https://my.avast.com. Linking your device to your Avast account also allows you to remotely wipe your phone in case it’s stolen or lost.

The final step is to wipe the phone clean, which will delete and overwrite all of your personal data.

Once the app is installed, turn on the WIPE command within the app.

  • Choose WIPE in the Send command column and click Send.
  • Confirm if you really want to delete all your data from the mobile phone.
  • To delete click Send, otherwise click Cancel. Your mobile will be rebooted.
  • The WIPE command will erase all data on your mobile and initiate a factory reset.

Avast at Mobile World Congress

Avast Mobile Security is at Mobile World Congress in Barcelona in Hall 8.1 (App Planet), Booth H65 this week, until February 25. Please stop by if you are around.