A bug in Google services allows tracking the movement of users of the Android operating system. As a Malwarebytes specialist found out, in order to “spy” on a loved one, an attacker does not need special knowledge, and does not need to install special software of the stalkerware class.



“Espionage” by Android

Cybersecurity firm Malwarebytes has discovered a way to track the movements of Android smartphone owners. Although it requires physical access to the victim’s gadget, it does not involve the installation of any third-party software. Google services, which are present on most modern Android devices, allow spying on the user.

A vulnerability that can easily be mistaken for a feature was discovered by accident by an information security researcher Peter Arntz (Pieter Arntz) while helping his wife install a paid app on her smartphone. In order to pay for the purchase, he logged into his own Google account on her mobile phone. After making sure that after installation the application works correctly, he returned the device to his wife, forgetting to log out of the account.

Later, looking at the Timeline section in the Google Maps application already on his device, Arntz noticed a strange thing: in the history of his movements for the day, places were marked that he did not visit, although he passed nearby. The specialist then decided that the matter was in the inaccuracy of the location on the part of Google, but did not stop his observations.

Google services bug allows spying on Android users

A few days later, he again turned to the Chronology, and this time the result was even more unusual: among the places visited there were also those in the neighborhood with which Arntz did not appear at all, but his wife visited them. It was then that an insight came to Arntz: the Google service gives out the history of movement, both his own and his faithful.

Discreet surveillance

Meanwhile, the spouse did not even suspect that she was being watched. Firstly, during the initial setup of the phone, it prohibited Google from keeping the “Timeline”, and secondly, the only indicator that the movement history on this device was being tracked was the changed user avatar (a small circle with a photo in the upper right corner of the “Google Maps” interface ).

As it turned out, a single login to an account from an Android smartphone to visit the Google Play app store is enough for this account to “settle” on the device. Thus, simply logging out of someone else’s account to stop tracking will not work – you need to purposefully delete someone else’s account in the Android settings.

Not a bug, but a feature

Peter Arntz told Google about the discovered flaw, which potentially allows attackers to “spy” on any owner of an Android smartphone, but he fears that Google will consider this “not a bug, but a feature.”

As a measure that could increase the protection of Android users from abuse of the capabilities of the software platform, Arntz proposed notifying not only the owner of this account, but also the owner of this device about entering Google Play from someone else’s account.

Dozens of stalkerware applications are available for the Android operating system, allowing you to spy on loved ones and control their communication. However, as CNews previously wrote, most of these applications have vulnerabilities that threaten the privacy of the users themselves.