Securing and Finding Lost Android Phones

By Published June 21, 2012 at 12:05 pm

No matter how fancy the locking pattern, phones will still get lost or stolen; luckily, a number of built-in and third-party applications and components, when used in conjunction, create a much more formidable opponent for every day 'hackers' and phone thieves, hopefully being the difference between identity theft and mere hardware theft.

 

This guide will look at securing your Android phone (even with a SIM swap), finding lost phones via GPS tracking, and wiping the phone's data.

Mobile phone security is on the rise: With the first viruses having made their rounds and as more are developed -- not to mention the ease with which a thief can snag an unguarded cell phone -- smart phone users need to remain vigilant and prepared in the event of a lost, stolen, or breached device.

These tools will provide several different primary functions, namely: Recovery - the ability to confirm if a suspected-stolen phone is, in fact, yours or otherwise locate it between your couch cushions; Remote access - lock-down, wipe, pull data, or activate a tracking GPS on your phone from your computer; Detonate - well, maybe not really, but close enough - messing with mobile possessors is always fun.

With some of these applications, they don't even need to be active or running at the time of the device's disappearance; once installed, it's easy to utilize web interfaces to enable/disable different features on the phone, lock-down highly important applications (like email or wallets), and even pull data to the web. Better still, many of them will survive a common thief's SIM card swap, meaning you may be able to find the phone after it's been gutted.

Basic Security: Anti-Virus Software

Despite the ease of physical phone theft, digital remote assaults still remain one of the biggest threats to identity and personal accounts. Using a phone without active malware shields or virus definitions should be thought of in the same way as using a computer without them; it's do-able, but as comfort sets in and sketchy websites are explored, something bad is bound to happen.

Android, being the pseudo-open platform that it is, offers a number of options for virus shields and scanning. Keep in mind that it is possible for malware to be uploaded to the marketplace, so don't just download the first software found.

We recommend Avast! Anti-Virus for Android, a free expansion of the highly-recommended PC-based software. Lookout has also done well for us in the past, but Avast just blows them all out of the water (Lookout's major advantage is its contact back-up option, which isn't present in Avast).

phone-avast2

Before we get into advanced customization, here's a look into what Avast offers for your phone:

  • Real-time protection (shields).
  • Call & SMS filtering.
  • Remote locking.
  • Remote locating.
  • Remote storage wipes.
  • Remote siren sounding.
  • SIM-card-change notifications.
  • Firewalls for rooted phones.
  • Application Managers (for dealing with marketplace malware).

 

Avast's remote features will require installation of software from non-marketplace locations, so be sure your settings allow for this. Avast can be downloaded here for Android.

Avast's installation also offers an interesting disguise feature: Upon installing the program, it'll prompt the user for a 'secret name' of sorts; renaming it from Avast! Anti-Theft to, for instance, "Cow Race" makes it exceedingly less suspect to, you know, thieves. We recommend setting this up during installation.

We'll expand on the tool's remote software in a separate section, but first we'll quickly go over its anti-virus functionality.

Avast, along with other third-party options (like Lookout), can do what PC virus scanners have been doing for years: Seek out PUPs (Potentially Unwanted Programs), infected archives, or otherwise malicious software and destroy it.

Running a local scan is quick (preserving that battery life a bit more than slower software) and relatively painless. The scan will dig through all installed applications and seek for compromised installations, then prompt the user and ask for input (likely leading to the deletion or removal of the software). Remember to keep your virus definitions updated for maximum effectiveness. We highly recommend running the Web Shield and, if rooted, the Firewall through Avast.

Installing other browsing software, like Opera's mobile browser, will reduce security risks to the phone by avoiding the more vulnerable back-doors often found in default software.

As with its desktop counterpart, Avast scans can be scheduled to run overnight to maximize efficiency.

Recovery - Finding a Lost or Stolen Phone

A quick disclaimer before we continue on: If these recovery utilities lead you to believe that your phone has been stolen and is being held hostage within a highly-defended compound, we recommend that you seek the advice of your local authorities. Don't do anything stupid, even if you know where the phone is.

AndroidLost and Avast both have excellent software for mobile device recovery and pinpointing, so we'll explore both briefly in this section.

The key difference between the two programs is their method of use: Avast utilizes "friend phones," allowing a user to send commands from phones granted access to those commands; adding two trusted 'friend phones,' from which an SMS (encoded with a password) can be sent, will activate alarms, the GPS, or other functions of Avast. AndroidLost's approach is more universal, but less clean overall -- the user can log into AndroidLost's website and issue direct commands from a web-enabled device or computer. This makes for an easier-to-use interface overall (given its nature of being on a computer, not via text message), but less accessible and versatile.

Let's start with Avast, since it was already detailed above.

Finding a lost Android Phone - Avast's Way

This is the easy part. Locating a lost phone, whether stolen or genuinely lost in the woods, is actually surprisingly easy. With remote device accessibility, we can log into the Android device from a desktop, activate its GPS, then begin tracking it via Google Maps. The coordinates will be highly accurate and should lead you to the general area, which will typically be enough to locate the device. Again, if it is suspected that another human controls the device and it's not simply lying around on the ground, please don't engage without thinking it through. Fair warning.

phone-avast1

Steps to locating your device with Avast:

  1. Install Avast! Anti-Theft for Android; ensure all permissions required are granted and the device is given administrative access (Warning: This will give Avast! data wiping permissions).
  2. As part of the previous step, you should have added two trusted friends or other phones to the list of command-enabled partners. You should also set a 4-6 digit passphrase that must be sent via SMS to activate the commands.
  3. Lose your phone.
  4. Send a text message from one of the allowed phones set in step two. To track the phone, send: #### Locate On (where #### is the password). Avast will reply to your text message (on the friend's phone) with a link to a map that pinpoint's the lost phone. Using the command Locate 5 will update the map every five minutes. Other numbers can be substituted to change the update interval.
  5. Once the phone is found, if it's out of sight (i.e. under something or otherwise buried), texting #### Siren On will activate the device's default siren ("Woop, woop: This phone has been lost or stolen"). The siren can be disabled by texting #### Siren Off, the GPS location can be stopped by texting #### Locate Stop (also preserves battery).

 

Let us know if you require assistance in using these commands. The full list of Avast! Anti-Theft for Android commands can be found here.

Finding a lost Android Phone - AndroidLost's Way

AndroidLost can be a lot of fun to play with, but it's a high-powered tool when things come down to the wire. AndroidLost doesn't even need to actively run to be used, making it one of the best choices for battery preservation (a key element when recovering a non-charging device).

AndroidLost uses a web interface (on AndroidLost.com) to issue commands and track phones, but can also lock, send messages, and trigger alarms remotely. Further, AndroidLost can read the status of the phone's battery, disable its wireless or GPS features (to further preserve battery), alert to SIM card changes (Avast also does this), send TTS messages, and trigger the front-facing camera.

Let's first look specifically at the recovery feature-set, as we did with Avast.

  1. 1.Although AndroidLost does not need to be pre-installed to be used (sufficient privileges must be granted if it isn't), we recommend pre-installing it anyway. You can download it from the marketplace here.
  2. 2.Configure AndroidLost and create an account on its corresponding website.
  3. 3.Lose your phone.
  4. 4.Log into AndroidLost and access the web control panel.
  5. 5.Checkmark the "Auto switch on GPS if deactivated button," then click "Send Location." This may take a moment. A map will appear with the location of the tracked device. As with Avast's version, it can be tracked on a time interval if desired.
  6. 6.Once found, as with Avast, send an Alarm to locate the phone audibly.

That's it! Hopefully that'll get you close enough.

Recovery - Forwarding Text Messages & Calls from a Lost Phone

Some software allows remote retrieval of individual files from mobile devices, but what about the potential of missing text messages of phone calls that could be important? For sake of simplicity, we'll stick once again with Avast's free service: By prefixing a text message with a password from a privileged mobile device and appending "Forward SMS," all incoming text messages will be silently forwarded to the phone that issued the command.

phone-androidlost-2

In a similar fashion, messages can be copied to the third-party device (leaving them in-tact on the original device) by using the CC SMS command instead.

Calls can also be semi-forwarded, but not in any functional fashion; due to network limitations and reliability, Avast's call forwarding functionality ceases at sending simple notifications. If you miss a call and issued the CC Call command, a notification will be dispatched to the third-party (friend's) device when any inbound calls are made, though the actual call will not get forwarded.

That said, it can be fun to force the stolen/lost phone to call a specific phone number. Issuing the Call ###-#### command (with a phone number, of course) will force an outbound call from the lost device. Make of this what you will.

Forwarding already-received messages is also possible with similar commands: Sending GET <amount> SMS or GET <amount> Inbox SMS will retrieve received messages, whereas GET <amount> Sent SMS will retrieve the last X sent messages, where X is a user-defined amount.

If you're unsure of how many should be retrieved, querying the call and SMS log should point you in the right direction; do this by commanding GET Log to the remote phone.

AndroidLost also does this - just log into the controls - messages panel and select "Only get unread messages," then retrieve them. Go to the 'mobile' tab in order to forward phone calls (though you'll need special codes from your provider).

Anti-Theft: Remote Locking

Again, phones can be locked remotely using a swathe of Android applications and desktop-enabled software, but we'll stick with looking at Avast! Anti-Theft for Android and AndroidLost's options, since those are the two that we've had the best experiences with (and they're free).

Locking a phone remotely can ensure it remains untampered with in the timeframe between its bipedal evolution and its recovery, which could make the difference between unauthorized purchases or data loss.

These utilities allow passwords to be set on the phone (remotely), which helps secure things in the event that no password had been previously set.

Remote Locking - Avast's Way

With Avast, things are pretty simple (actually, they're simple with both approaches). Avast continues to utilize the 'friends' program of their service, meaning that the owner of the lost device can force a lock-down using a friend's mobile unit as a via-point.

  1. Install Avast's Anti-Theft utility.
  2. Lose your phone.
  3. Issue the command #### Lock via text from a friend-privileged phone to the lost phone.
  4. Once the phone is found, issue the command #### Unlock via text from the friend-privileged phone to the lost phone.

That's it. That's how you lock and unlock the lost phone, which should hopefully buy some time to protect your data.

Remote Locking - AndroidLost's Way

This one's not any more difficult than Avast, for this usage, anyway. Locking a phone remotely is pretty easy with AndroidLost:

  1. Install AndroidLost.
  2. Lost your phone.
  3. Log in to the AndroidLost control panel.
  4. On the 'security tab,' enter a pincode and click 'lock phone.'

And we're done. The phone can be unlocked locally using the pincode or remotely using the 'unlock phone' button.

Anti-Theft: Remote Data Wiping

Lots of personal data gets stored on phones, these days: Photos of IDs, credit card data in virtual wallets, sexy cat photos, and any number of other things that you wouldn't want someone to have access to. It is possible to remotely clear all data on the phone (of course, any savvy thieves should be able to recover stray files using these methods, but most of the important stuff should be gone); be absolutely certain that you want data wiped, though, because you won't be able to undo this action once it's started.

Remotely Data-Wipe Your Phone - Avast's Way

Again, only do this if you're sure of it. With Avast installed, the process is painless and straight-forward:

  1. Install Avast.
  2. Lose your phone.
  3. Send an SMS from one of the allowed phones, it should read #### WIPE to wipe all data on the phone.

It's amazing how easy it is to blow away all that accumulated data.

Remotely Data-Wipe Your Phone - AndroidLost's Way

AndroidLost, in addition to clearing the phone, can easily wipe data from any SD cards attached to the device (or only from SD cards). Follow these steps to clear the phone's data and SD card data:

  1. Install AndroidLost.
  2. Lose your phone.
  3. Access AndroidLost's control panel.
  4. Go to the 'security' tab. Scroll down. Use the "Wipe phone" and/or "Erase SD card" features as desired; Android 2.3+ users can wipe both in one fell sweep, just be certain of it.

And boom goes the dynamite. No more data.

Remote Screwing With People

This last one's more entertaining than anything, really; using AndroidLost or Avast, we can send remote messages to display on-screen on the phone (using Android's built-in notifications), sound sirens, and spew text-to-speech robot-ness.

phone-androidlost-1

Avast's Siren On command initiates a pre-built siren (this can be replaced with something else) that simply says, "This phone has been lost or stolen," preceded by a semi-loud siren noise. I replaced mine with the red alert noise from TNG, for instance, wither Riker shouting "SHIELDS UP!" Totally worth it.

AndroidLost can send text-to-speech commands to the phone, too: Just log in to the control panel, go to the 'mobile' tab, and type some text in and send it. On the same tab, the 'hangup phone' option makes for obnoxious interruptions in the event the thief calls all your friends to boast of his exploits.

There are many tools between Avast and AndroidLost to play around with, so even if you just want something to do for the day, give them a try. It's always good to be able to recover a lost phone, anyway.

Have any suggestions for improved phone recovery and security? Let us know in the comments below!

Last modified on June 21, 2012 at 12:05 pm
Steve Burke

Steve started GamersNexus back when it was just a cool name, and now it's grown into an expansive website with an overwhelming amount of features. He recalls his first difficult decision with GN's direction: "I didn't know whether or not I wanted 'Gamers' to have a possessive apostrophe -- I mean, grammatically it should, but I didn't like it in the name. It was ugly. I also had people who were typing apostrophes into the address bar - sigh. It made sense to just leave it as 'Gamers.'"

First world problems, Steve. First world problems.

We moderate comments on a ~24~48 hour cycle. There will be some delay after submitting a comment.

Advertisement:

  VigLink badge