This Android security flaw could let hackers follow all your movements

Kaspersky Report on Stalkerware
(Image credit: Kaspersky)

An innocuous-looking feature on Android devices was accidentally discovered by cybersecurity researchers as a means of spying on the whereabouts of another user, without the need to install additional stalkerware apps.

Malwarebytes researcher Pieter Arntz discovered the issue after he signed in to his Google account on his wife’s smartphone. Unexpectedly however, this enabled him to track the movements of his spouse using the Google Maps Timeline feature. 

“After I logged out of Google Play on my wife’s phone the issue was still not resolved. After some digging I learned that my Google account was added to my wife’s phone’s accounts when I logged in on the Play Store, but was not removed when I logged out after noticing the tracking issue,” noted Arntz.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

Arntz subsequently reported the issue to Google, but was told that the behavior is infact a feature and not really a bug.

Flawed feature

While Google might treat this as a legitimate feature, and not a bug, Malwarebytes, as one of the founding members of the Coalition against Stalkerware (CAS), is treating it as a potential flaw since its misuse would constitute what it refers to as “tech enabled abuse.”

“This is more aptly a design and user experience flaw. However, it is still a flaw that can and should be called out, because the end result can still provide location tracking of another person’s device,” asserts Artnz.

He suggests a handful of things Google could improve to prevent the feature from being misused. 

For starters, Google needs to rein in the overzealous nature of the feature. Since the timeline feature was enabled in Arntz’s device and not his wife’s he feels he shouldn’t be receiving the locations visited by her phone, in the first place.

Secondly, although he received a warning when he signed into his account on her phone, Google should ensure a similar “someone else logged into Google Play on your phone” should also be sent to her wife’s phone.

Finally, Arntz feels that Google should do a better job of displaying the current logged in users instead of only showing the first letter of the Google account user.

For its part, Malwarebytes advises all Android users to check if any additional Google accounts have been added to their phone, and remove them manually to mitigate this risk of the flawed feature. 

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.