This Android security flaw could let hackers follow all your movements
It’s a feature, not a bug, insists Google
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
An innocuous-looking feature onAndroiddevices was accidentally discovered bycybersecurityresearchers as a means of spying on the whereabouts of another user, without the need to install additionalstalkerwareapps.
Malwarebytesresearcher Pieter Arntz discovered the issue after he signed in to hisGoogleaccount on his wife’ssmartphone. Unexpectedly however, this enabled him to track the movements of his spouse using theGoogle MapsTimeline feature.
“After I logged out of Google Play on my wife’s phone the issue was still not resolved. After some digging I learned that my Google account was added to my wife’s phone’s accounts when I logged in on thePlay Store, but was not removed when I logged out after noticing the tracking issue,”notedArntz.
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.
Click here to start the survey in a new window«
Arntz subsequently reported the issue to Google, but was told that the behavior is infact a feature and not really a bug.
Flawed feature
While Google might treat this as a legitimate feature, and not a bug, Malwarebytes, as one of the founding members of theCoalition against Stalkerware(CAS), is treating it as a potential flaw since its misuse would constitute what it refers to as “tech enabled abuse.”
“This is more aptly a design and user experience flaw. However, it is still a flaw that can and should be called out, because the end result can still provide location tracking of another person’s device,” asserts Artnz.
He suggests a handful of things Google could improve to prevent the feature from being misused.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
For starters, Google needs to rein in the overzealous nature of the feature. Since the timeline feature was enabled in Arntz’s device and not his wife’s he feels he shouldn’t be receiving the locations visited by her phone, in the first place.
Secondly, although he received a warning when he signed into his account on her phone, Google should ensure a similar “someone else logged into Google Play on your phone” should also be sent to her wife’s phone.
Finally, Arntz feels that Google should do a better job of displaying the current logged in users instead of only showing the first letter of the Google account user.
For its part, Malwarebytes advises all Android users to check if any additional Google accounts have been added to their phone, and remove them manually to mitigate this risk of the flawed feature.
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.
Don’t search for information on cats at work — you could be at risk of being hacked
This dangerous new malware is hitting Windows devices by hiding in games
Nvidia’s GeForce Now Priority membership has upgraded to ‘Performance’ - introducing a 1440p resolution and ultrawide support
