An innocuous-looking feature on Android (opens in new tab) devices was accidentally discovered by cybersecurity (opens in new tab) researchers as a means of spying on the whereabouts of another user, without the need to install additional stalkerware (opens in new tab) apps.
Malwarebytes (opens in new tab) researcher Pieter Arntz discovered the issue after he signed in to his Google account on his wife’s smartphone (opens in new tab). Unexpectedly however, this enabled him to track the movements of his spouse using the Google Maps (opens in new tab) Timeline feature.
“After I logged out of Google Play on my wife’s phone the issue was still not resolved. After some digging I learned that my Google account was added to my wife’s phone’s accounts when I logged in on the Play Store, but was not removed when I logged out after noticing the tracking issue,” noted (opens in new tab) Arntz.
- Shield yourself with these best identity theft protection services (opens in new tab)
- We’ve also compiled a list of the best Android antivirus apps (opens in new tab)
- These are the best data loss prevention services (opens in new tab)
Arntz subsequently reported the issue to Google, but was told that the behavior is infact a feature and not really a bug.
Flawed feature
While Google might treat this as a legitimate feature, and not a bug, Malwarebytes, as one of the founding members of the Coalition against Stalkerware (opens in new tab) (CAS), is treating it as a potential flaw since its misuse would constitute what it refers to as “tech enabled abuse.”
“This is more aptly a design and user experience flaw. However, it is still a flaw that can and should be called out, because the end result can still provide location tracking of another person’s device,” asserts Artnz.
He suggests a handful of things Google could improve to prevent the feature from being misused.
For starters, Google needs to rein in the overzealous nature of the feature. Since the timeline feature was enabled in Arntz’s device and not his wife’s he feels he shouldn’t be receiving the locations visited by her phone, in the first place.
Secondly, although he received a warning when he signed into his account on her phone, Google should ensure a similar “someone else logged into Google Play on your phone” should also be sent to her wife’s phone.
Finally, Arntz feels that Google should do a better job of displaying the current logged in users instead of only showing the first letter of the Google account user.
For its part, Malwarebytes advises all Android users to check if any additional Google accounts have been added to their phone, and remove them manually to mitigate this risk of the flawed feature.
- Check our list of the best identity management services (opens in new tab)