This Android security flaw could let hackers follow all your movements

Kaspersky Report on Stalkerware
(Image credit: Kaspersky)

An innocuous-looking feature on Android devices was accidentally discovered by cybersecurity researchers as a means of spying on the whereabouts of another user, without the need to install additional stalkerware apps.

Malwarebytes researcher Pieter Arntz discovered the issue after he signed in to his Google account on his wife’s smartphone. Unexpectedly however, this enabled him to track the movements of his spouse using the Google Maps Timeline feature. 

“After I logged out of Google Play on my wife’s phone the issue was still not resolved. After some digging I learned that my Google account was added to my wife’s phone’s accounts when I logged in on the Play Store, but was not removed when I logged out after noticing the tracking issue,” noted Arntz.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

Arntz subsequently reported the issue to Google, but was told that the behavior is infact a feature and not really a bug.

Flawed feature

While Google might treat this as a legitimate feature, and not a bug, Malwarebytes, as one of the founding members of the Coalition against Stalkerware (CAS), is treating it as a potential flaw since its misuse would constitute what it refers to as “tech enabled abuse.”

“This is more aptly a design and user experience flaw. However, it is still a flaw that can and should be called out, because the end result can still provide location tracking of another person’s device,” asserts Artnz.

He suggests a handful of things Google could improve to prevent the feature from being misused. 

For starters, Google needs to rein in the overzealous nature of the feature. Since the timeline feature was enabled in Arntz’s device and not his wife’s he feels he shouldn’t be receiving the locations visited by her phone, in the first place.

Secondly, although he received a warning when he signed into his account on her phone, Google should ensure a similar “someone else logged into Google Play on your phone” should also be sent to her wife’s phone.

Finally, Arntz feels that Google should do a better job of displaying the current logged in users instead of only showing the first letter of the Google account user.

For its part, Malwarebytes advises all Android users to check if any additional Google accounts have been added to their phone, and remove them manually to mitigate this risk of the flawed feature. 

TOPICS
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
A hand holding a phone showing the Android Find My Device network
Android's Find My Device can now let you track your friends – and I can't decide if that's cool or creepy
Kaspersky Report on Stalkerware
Security flaw in popular stalkerware apps is exposing phone data of millions
 In this photo illustration a Google Play logo seen displayed on a smartphone.
Why is there so much spyware hidden in the Play Store?
Stalkerware
New spyware found to be snooping on thousands of Android and iOS users
Photograph of a woman looking at map on a smartphone
How to use location apps without leaving a trail of data and getting followed everywhere you go
Photograph of a hand holding a smartphone with two googly eyes
Every tap, every message – how to stop your smartphone spying on you
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
Ray-Ban smart glasses with the Cpperni logo, an LED array, and a MacBook Air with M4 next to ecah other.
ICYMI: the week's 7 biggest tech stories from Twitter's massive outage to iRobot's impressive new Roombas
Brad Pitt looks over his right shoulder with &#039;F1&#039; written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
AI writer
Coding AI tells developer to write it himself
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View
I visited the world’s first registered .com domain – and you won’t believe what it’s offering today