Darlene Storm

Think you deleted your dirty little secrets? Before you sell your Android smartphone...

July 09, 2014 12:30 PM EDT

Most folks know enough to factory reset their Android phone before selling it, but few probably realize their dirty little secrets and naked selfies may still be lurking there.

Avast purchased 20 previously-owned Android smartphones from eBay; each had been “wiped” according to the manufacturer’s factory reset directions, but by simply using off-the-shelf digital forensic software such as FTK Imager, Avast recovered “more than 40,000 personal photos, emails, text messages, and – in some cases – the identities of the sellers.”

Factory data reset for KitKat 4.4.2So you “erase” your data, but what really happens to those “deleted” files? Avast’s report regarding the eBay phones states, “When a file is deleted, the operating system merely deletes the corresponding pointers in the file table and marks the space that is occupied by the file as free. The reality is that the file is not deleted and the data it contained still remains on the drive or storage card.”

Avast PR manager Caroline James remarked that one “guy was really into anime porn.” But that “secret” might be less embarrassing for the previous owner than for the people featured in risqué selfies. From only 20 Android phones, Avast found 750 selfies of women in various stages of undress and 250 male nude selfies. Mixed in with those non-G-rated photos were over 1,500 family photos of children; in total, more than 40,000 photos were recovered.

“Everybody who sold their phone, thought that they had cleaned their data completely," stated Jude McColgan, president of Avast Mobile. Yet Avast researchers also recovered over 750 emails and text messages, more than 250 contact names and email addresses, and four previous owners’ identities.

“The amount of personal data we retrieved from the phones was astounding. We found everything from a filled-out loan form to more than 250 selfies of what appear to be the previous owner's manhood,” McColgan stated. “The take-away is that even deleted data on your used phone can be recovered unless you completely overwrite it.”

How did Avast recover the “deleted” personal data?

Avast’s forensic analysis report covers the three main methods the researchers used to recover deleted data: mass-storage mount, logical analysis, and low-level analysis.

Since some of the previous owners did not store their data on removable micro SD cards or internal storage devices, simply attaching the smartphone via USB cable to a computer was enough to mount “Removable Storage.” One mass-storage mount example was a Motorola Droid Razr XT912, from which about 11 GB of personal data was recovered.

GBs recovered from wiped Motorola Droid Razr XT912; Image courtesy of Avast

In the following example, Avast used “FTK Imager to mount the image of a partition containing user data.”

Avast example of recovering previously erased data from Android HTC Sensation with FTK Imager

“The seller of this HTC Sensation smartphone thought that his personal data was removed,” wrote the researchers, but “we managed to dump 251 blocks of unallocated data and to recover ‘deleted’ messages from a Facebook chat.”

If the phone doesn’t support mass storage mounting, Avast said it could be rooted, a mass storage app installed, and then use Media Transfer Protocol to pull off the personal data and transfer it to another portable device.

However, a smartphone does not need to be unlocked or rooted before backing up data using Android Debug Bridge. The backup can be converted to a .tar archive with Android Backup Extractor. That archive contains a directory structure with all currently installed applications and may also contain directories.

“The Db directory (if it exists) contains SQLite database files, which may be viewed for example by SQLite viewer,” Avast said of this logical analysis approach. The following example was personal data left behind after a factory reset and then snagged from a Samsung Galaxy S4:

If those two methods failed to recover “wiped” data, the researchers used low level analysis to create a “bit-to-bit copy” of the user’s data. After several steps including rooting the device, the researchers extracted Facebook chats, photos and Google search keywords.

Avast forensic researchers concluded:

The combination of the methods mentioned above helped us to discover a lot of personal data, and also helped us to reconstruct several personal stories. Although at first glance the phones appeared thoroughly erased, we quickly retrieved a lot of private data. In most cases, we got to the low-level analysis, which helped us recover SMS and chat messages. 

What were those 20 Android phones full of factory-reset fail? They included the HTC One X, HTC EVO 4G, HTC ThunderBolt ADR6400L, HTC Sensation 4G, Samsung Galaxy S2, Samsung Galaxy S3, Samsung Galaxy S4, LG Optimus L9 P769, and Motorola Droid RAZR MAXX XT912. “The phones were from AT&T, Verizon and T-Mobile,” Marina Ziegler, Avast Software Global Communications Manager told me.

But don’t be silly like me and get hung up on what phones from what carriers revealed the most personal info even after previous owners had performed a factory reset or a “delete all” operation. The blame for Androids not deleting this data starts with Google. Avast analysts explained, “It’s not a question about the carriers, whether the factory reset works well or not. It’s a mix out of different aspects: The factory reset is implemented by Google. The strength of the factory reset does, however, also depend on the phone’s chip manufacturer.”

“As for the platform, different Android versions were present, most of the phones had Android version 4 (different versions), others had Android version 2.3.x (Gingerbread),” added Ziegler. In case you are curious, Google just released new Android platform distribution numbers, based on what platforms accessed the Play Store for a seven-day period ending on July 7, 2014: 56.5% of Androids were running Jelly Bean, KitKat was on 19.9% and 15% were running Ice Cream Sandwich.

July 2014 Android Platforms

Avast is not the first security firm to say that even if you follow the manufacturer’s directions to wipe your phone, it’s nearly impossible to get rid of personal information on some Android devices. In 2012, after McAfee's Robert Siciliano bought 30 mobile phones and laptops from Craigslist, he recovered personal data from 15 devices. "What's really scary is even if you follow protocol, the data is still there," he said. BlackBerry and iPhone did a good job of deleting personal data, but Siciliano advised against selling your old Android and Windows XP devices. "Put it in the back of a closet, or put it in a vise and drill holes in the hard drive, or if you live in Texas take it out into a field and shoot it. You don't want to sell your identity for 50 bucks," he said.

Avast claimed that one phone had their competitor’s security software installed, but did not elaborate on which product other than “unfortunately it did not help the former owner as it revealed the most personal information out of all the phones we analyzed.” It seems odd that only one of 20 phones is mentioned to have had any mobile security, since there are plenty of free Android security apps.

Selling your old Android “may be a great way to make extra money, but it's a bad way to protect your privacy,” noted McColgan. The fix, so you can safely sell or trade in your smartphone without also selling your dirty little secrets? According to Avast, you should go the Google Play store and download a free app like Avast Anti-Theft “which will not only erase, but also overwrite your data.” Then turn on "thorough wipe" and wipe your phone.

Whether you use Avast or not, the company certainly showed compelling reasons to use it. At any rate, make sure you install some security protection; there are also many anti-theft apps in the Google Play store as well as others to shred, wipe, or delete data and even apps to recover data.