Make sure your Android phone is wiped clean before you sell it.
Every day, tens of thousands of people sell or give away their old mobile phones. We decided to buy some of these used phones to test whether they had been wiped clean of their data. What we found was astonishing: 40,000 photos including 750 photos of partially nude women and more than 250 male nude selfies, 750 emails and texts, 250 names and addresses, a collection of anime porn, a complete loan application, and the identity of four of the previous phone owners.
How did we recover so much personal data?
The problem is that people thought they deleted files but the standard features that came with their operating system did not do the job completely. The operating system deleted the corresponding pointers in the file table and marked the space occupied by the file as free. But in reality, the file still existed and remained on the drive.
Did you know that Californians are obsessed with Selfie Sticks from Amazon.com? Or that people in Maine buy lots of coconut oil?
Thanks to Jumpshot, a marketing analytics company, you can find this information – as well as more useful information – by using the tools available at Jumpshot.com.
What may be most interesting to you is that Jumpshot is using Avast data to drive these unique insights. We provide Jumpshot with anonymized and aggregated data that we collect from scanning the 150 billion URLs our users visit each month. Using Jumpshot’s patent-pending algorithm, all of the personally identifiable information is removed from the data before it leaves Avast servers. Nothing can be used to identify or target individuals. Avast COO Ondřej Vlček explains the data stripping algorithm in an Avast forum topic.
Data security, of course, is very important to us. We go to great lengths to keep our users safe, and have never shared any data that can be used to identify them. We never have and never will.
Most of us can agree that we don’t want our personal data falling into other people’s hands. This may seem like an obvious concept, but with the amount of data we regularly share online, it’s not such an uncommon occurrence that our information is wrongfully passed onto others. In this clever video published by Facebook Security, we learn how to nip scams in the bud and prevent others from tricking us into sharing personal information.
This article is a re-print from the April 1, 2015 edition of Silicon India.
Security threats are evolving quickly, making it difficult to pinpoint just one threat that is currently affecting small and mid-size businesses.
From the threats we have observed in the past and the ones we anticipate for the future, we have learned that while malware can be damaging to businesses, so can human decisions. This makes it vital for small and mid-size business owners to discuss possible threats with their employees and share basic IT guidelines with them, but more importantly, to implement a strong security solution that holds up dangers before they become a real threat.
Taking Advantage of Human Nature: Social Engineering
Hackers understand that it is human nature to make mistakes, which is why they often turn to social engineering. Social engineering is a tactic that tricks people into revealing their personal information, like log in details, or into performing actions, like downloading malware disguised as an attachment or link.
Phishing emails are a popular form of social engineering that can easily sneak their way into your employees’ inboxes, disguising themselves as yet another offer, promotion, or even customer, if you do not have anti-phishing protection. Phishing campaigns come in many forms; they can either use scare tactics to make people believe they are in trouble or that they have won a prize.
In the last few months we have seen Trojans like Pony Stealer and Tinba make their rounds. Both Pony Stealer and Tinba attempted to convince people they owed money and to download an invoice, which was of course not an actual invoice, but a Trojan.
Falling for phishing scams can have devastating effects on businesses; they could not only steal personal information, but also attack Point of Sale (PoS) systems to steal customers’ financial information, thus not only affecting the business itself, but its clients as well.
Lack of security awareness: Beneficial for hackers, bad for your business
Not taking proper security precautions, like choosing weak passwords or ignoring security updates, is another human flaw cybercriminals like to abuse to access accounts and networks. To gain control of a system, hackers can enter common or weak passwords or simply look up hardware’s default administrative log in credentials.
Avast bought 20 used phones from eBay and discovered that lots of personal data still remained on them.
Introduction to Android forensics (aka CSI: Android)
Digital forensics is a branch of science which deals with the recovery and investigation of materials found in digital devices. Forensics is usually mentioned in connection with crime, vaguely similar to criminal investigations on TV shows like CSI: Crime Scene Investigation and NCIS. However, several experiments (1, 2), including this one, use methods of digital forensics as proof that people do not pay attention to what happens with their personal data when replacing their digital devices (computers, hard drives, cell phones). In this blog post series we will reveal what we managed to dig out from supposedly erased devices. The sensitive information includes pictures (even very private ones!), videos, contacts, SMS messages, Facebook chat logs, Google searches, GPS location coordinates, and more.
What happens to the file when it is “deleted”?
When people want to delete a file, most will use the standard features that come with their operating system. After it’s done, they consider the unwanted data to be gone forever. However, this is not true.
The Internet has become a virtual flea market, with online consumer-to-consumer sites like Amazon, eBay, and Craigslist selling millions of products every day. Used smartphones are a popular sales item on eBay – more than 80,000 people list their phones for sale each day. It seems like a smart way to make some extra money, but AVAST has found out that many fail to protect their identity in the process.
AVAST recovers an abundance of personal data from used smartphones
Most sellers delete all of their personal data prior to selling their used devices… or so they think. We purchased 20 used Android phones off eBay and used simple and easily available recovery software to restore deleted files. The amount of data we were able to retrieve was astonishing and proves that simply deleting is not enough.
Our analysts found the following:
- More than 40,000 stored photos
- More than 1,500 family photos of children
- More than 750 photos of women in various stages of undress
- More than 250 selfies of what appear to be the previous owner’s manhood
- More than 1,000 Google searches
- More than 750 emails and text messages
- More than 250 contact names and email addresses
- Four previous owners’ identities
- One completed loan application
One phone even had a competitor’s security software installed, but unfortunately it did not help the former owner as it revealed the most personal information out of all the phones we analyzed.
No one cares about my old photos, messages and Google searches, right?
Wrong! As the old saying goes, a picture is worth a thousand words. Now add private Facebook messages that include geo-location, Google searches for open job positions in a specific field, media files, and phone contacts. Put all of these pieces together to complete the puzzle and you have a clear picture of who the former smartphone owner was. Stalkers, enemies, and thieves can abuse personal data to stalk, blackmail and steal people’s identities. They can use this information to watch people’s every move, exploit their strange fetishes, open credit cards in their name, or even continue what they started by further selling their personal information online.
How to permanently delete and overwrite data from your Android phone
Deleting files from your Android phone before selling it or giving it away is not enough. You need to overwrite your files, making them irretrievable. To do so, install avast! Anti-Theft from the Google Play Store for free. Once you have the app installed, turn on the “thorough wipe” feature within the app. You will then need to create a my.avast account to connect to the phone (this allows users to remotely wipe their phones in theft cases as well). The final step is to wipe the phone clean, which will delete and overwrite all of your personal data.
Read about our investigation:
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.
PRIVACY. It’s the word of the year from dictionary.com. With reports of the NSA turning the internet into a vast surveillance platform, FBI agents and hackers monitoring citizens through home appliances, web-browser tracking cookies multiplying like rabbits, and information you post to social networking sites yourself, the loss of individual’s online privacy and the extensive access of personal data became a mainstream topic in 2013.
In an interview about security issues with SC Magazine, Vincent Steckler, AVAST’s CEO said that the next aspect of security that needs consideration is privacy. Both consumers and corporates are going to need social media protection capabilities, including checking of links for malware, better control of privacy settings, and control over apps. That goes for tracking in browsers as well.
Abandon all privacy, ye who enter here
Ondřej Vlček, AVAST’s Chief Technology Officer, agrees. “’Do not track in browsers’ doesn’t really work,” he says. “It’s up to the servers whether to adhere to [the HTTP Do Not Tracker header] or not. Most commercial services don’t adhere to it.”
Raise your hand if you use your smartphone to surf the web, compare prices, or buy movie tickets? (That looks like most of us.) Lots of people don’t realize that mobile brands, apps and websites ‘track’ their online movements. Vlček said there are plug-ins that remove things like tracking from ad networks, analytics services or Facebook’s Like buttons without breaking the service. He suggests this approach is an important piece of the puzzle for privacy protection.