Your movements could be tracked inside the Google Maps app on another person’s phone …if you’ve made this simple mistake, a security expert has warned. Researcher Pieter Arntz, who works for renowned security firm Malwarebytes, has detailed how he was able to accidentally track his wife’s whereabouts without installing any spyware or cracking any of her passwords.
It turns out the Google Play Store can be the perfect way to keep tabs on someone’s location – with up-to-date location data displayed within Google Maps.
Malwarebytes security expert Arntz wrote a detailed blog post about his discovery. In a nutshell, Arntz wanted to install a paid-for Android app onto his wife’s phone. Since he’d already bought the software once for his own device, and didn’t see a reason to buy it again, Arntz signed-into the Google Play Store app on his wife’s smartphone, navigated to a list of his previously purchased apps, and downloaded the software.
“All went well, but after installing the app and testing whether it worked, I forgot to log out of Google Play,” he explains in the blog.
Back on his own handset, Arntz started to notice rogue locations popping-up in his location history within Google Maps. For those who don’t know, Google Maps keeps tabs on your location when using the app. It analyses this data to make better suggestions – to show restaurants that are close to your location rather than in another city or country, for example.
“I started noticing strange things but couldn’t quite put my finger on what was going on. It showed me places I had been near, but never actually visited,” he said. It turns out the Google Maps app on Arntz’s phone was actually listing locations that his wife had visited – with her phone, with his Google account signed-in on the Play Store app – in her pocket.
The only way his wife would’ve known that something was awry (and that someone might have access to her location data) was the small profile picture in the corner of the Google Play Store app. Bizarrely, after working out what had happened and signing out of his wife’s Google Play Store app, Arntz discovered that he was still able to keep tabs on her movements within his Google Maps app.
He explains: “After I logged out of Google Play on my wife’s phone the issue was still not resolved. After some digging I learned that my Google account was added to my wife’s phone’s accounts when I logged in on the Play Store, but was not removed when I logged out after noticing the tracking issue.”
Malwarebytes, a prominent cybersecurity company based in California, is one of the founding members of the Coalition Against Stalkerware, which is designed to keep people safe from being spied on. Spyware and so-called stalkerware applications are a growing problem.
The Google Play Store quirk certainly doesn’t count as spyware… nonetheless, it could be used by nefarious individuals to achieve the same results.
Eva Galperin, of the Electronic Frontier Foundation, said the flaw highlights the need to take domestic abuse situations into account when testing features. She said: “One of the most dangerous times in a domestic abuse situation is the time when the survivor is trying to disentangle their digital life from their abusers. That is a time when the survivors’ data is particularly vulnerable to this kind of misconfiguration problem and the potential consequences are very serious.”
Malwarebytes has submitted an issue report to Google to highlight the issue. In the meantime, if you have previously used your login on friends’ and family members’ devices to avoid paying for apps, movies, eBooks or songs more than once, it might be worth checking which accounts are signed in on your phone.
To do that, head to Settings > Accounts and Backups > Manage Accounts. This will display a list of all the accounts with permissions on your device. You can remove any that you do not recognise… as these will have access to the GPS data gathered by your smartphone.