Your Discarded Smartphone Could Be a Goldmine for Data Theft

Avast has warned that performing a factory reset to erase data from smartphones is ineffective, as the data can still be retrieved.

The company managed to recover a substantial amount of data, including over 40,000 photographs, from 20 used Android phones purchased off eBay.

Avast advises that device owners must overwrite their files to ensure they cannot be recovered, highlighting one of their own applications for this purpose.

Stu Sjouwerman, CEO of KnowBe4, remarked, “This doesn’t surprise me because RAM-based storage uses similar file systems to hard drives, and files on PCs aren’t truly deleted either.”

What About Apple Devices?

Although Avast didn’t analyze iPhones, its mobile product manager Tomas Zeman explained that “generally, data recovery on iOS is much more challenging.”

Recovery depends on various factors such as the iOS version, device type, and whether the files are encrypted.

Dave Jevans, founder and CTO of Marble Security, noted that both Android and iOS run on Unix-like operating systems and use NAND flash storage. “Hence, it is very likely that deleted data on both systems can be retrieved.”

Tablets are equally susceptible to data retrieval.

Avast’s Bounty: A Mix of Innocent and Sensational

Avast recovered over 1,500 family photos of children, 750 images of women in various stages of undress, and more than 250 explicit selfies of men.

Additionally, they found the identities of four previous device owners, one completed loan application, over 250 contact names and emails, more than 750 emails and text messages, and more than 1,000 Google searches.

One phone, which had another vendor’s security software installed, revealed the highest amount of personal information, Avast noted.

The Data Retrieval Process

Avast used FTK Imager to mount disk images of partitions containing user data. Phones without data stored on removable SD cards or internal storage could be linked to a computer via USB cable, mounting the storage as removable.

Phones lacking mass storage support needed to be rooted, using apps like Media Transfer Protocol to transfer files.

In certain scenarios, the phones were backed up with Android Debug Bridge and the data was converted into a .tar archive using an Android Backup Extractor.

Statistics Show the Reality

Every day, over 80,000 people list their smartphones on eBay, according to Avast.

The used smartphone market is expanding, with Apple, major retailers like Walmart and Best Buy, and carriers running phone buyback or trade-in programs. Many carriers also offer leasing programs that allow for regular device upgrades.

Companies like Gazelle buy used smartphones, erase them, and resell them. In May, Gazelle accepted its 2 millionth device and served its 1 millionth customer.

This scenario increases the risk for smartphone owners.

Android smartphone data recovery software is offered by companies like Smartphone Recovery Pro and Recovery-android.com.

Easus provides both free and paid versions of its MobiSaver Android data recovery software, which has a similar tool for iOS as well.

Addressing the Issue

Smartphones, whether owned by businesses and given to employees or owned by consumers, need to be properly wiped before being reissued, discarded, or sold, stated KnowBe4’s Sjouwerman.

Marble’s Jevans recommended using encryption within corporate apps for BYOD (Bring Your Own Device) phones.

Companies might not thoroughly wipe smartphones’ storage before reallocating them to other employees.

Jevans mentioned that NAND flash “has a limited lifespan for read/write cycles before it degrades.”

Erasing file contents “is not only time-consuming but can greatly reduce the memory’s durability,” he added. “That’s why it typically isn’t done.”