Google Play could be used to track other people’s movements

2 Sep 2021

Image: © Andrey Popov/Stock.adobe.com

A researcher from Malwarebytes discovered he was able to know his wife’s whereabouts without installing any spyware on her phone.

While spyware and stalkerware apps are a growing problem, these are not the only ways for someone to track us without our knowledge.

Cybersecurity company Malwarebytes appears to have discovered a way for Google Play to be manipulated to allow someone to track someone else’s movements without installing spyware.

In a blogpost, security researcher Pieter Arntz explained that he discovered the problem after he signed into his Google account on his wife’s phone.

“I installed an app on my wife’s Android phone and to do so, I needed to log into my Google account because I paid for the app. All went well, but after installing the app and testing whether it worked, I forgot to log out of Google Play,” Arntz explained.

Back to his own devices, he later looked at the Google Maps Timeline feature to see what information it had about his location.

“I started noticing strange things but couldn’t quite put my finger on what was going on. It showed me places I had been near, but never actually visited. I figured this was nothing more than Google being an over-achiever,” he said.

Arntz added the only way his wife could have noticed his lingering Google Play sign-in was a change in the avatar in the top right corner of her phone when she opened the app.

However, Arntz said that the issue persisted even after he logged out of Google Play on her phone. “After some digging I learned that my Google account was added to my wife’s phone’s accounts.”

Tech-enabled abuse

Malwarebytes is a cybersecurity company with offices in California, Florida, Estonia and Cork in Ireland.

It is also a founding member of the Coalition Against Stalkerware, which aims to keep people safe from being spied on.

However, while the Google sign-in problem uncovered by Arntz is not stalkerware, it can still be dangerous if used maliciously.

This is considered tech-enabled abuse, where the design of a legitimate technology can lead to intentional and malicious misuse.

This type of flaw can be particularly dangerous as it requires very little technological knowledge. In this case, all someone needs is access to another person’s phone.

Tech-enabled abuse like this can also circumvent any security software designed to detect spyware because the stalking is happening through a legitimate app.

Eva Galperin, director of cybersecurity for Electronic Frontier Foundation, said the flaw highlights the importance of quality assurance and user testing that takes domestic abuse situations into account.

“One of the most dangerous times in a domestic abuse situation is the time when the survivor is trying to disentangle their digital life from their abusers’,” she said.

“That is a time when the survivors’ data is particularly vulnerable to this kind of misconfiguration problem and the potential consequences are very serious.”

Malwarebytes has submitted an issue report to Google regarding the flaw but has advised Android users to check if any other accounts have been added to their phone.

This can be done by going to Settings > Accounts and Backups > Manage Accounts. From here, you can see which accounts are listed and remove any that should not be there.

Jenny Darmody is the deputy editor of Silicon Republic

editorial@siliconrepublic.com