Two Ghana fans pose for selfies furing the 2014 World Cup in Brazil. (reuters)
Two Ghana fans pose for selfies furing the 2014 World Cup in Brazil. (reuters)

Explicit selfies that their takers had deleted have been retrieved from a batch of discarded Android smartphones by security researchers.

After studying 20 handsets purchased on eBay, data security company Avast has warned that the "factory reset" button on Android phones does not entirely erase data, which can be easily retrieved using widely available security tools.

Among the material retrieved from the devices were 40,000 personal photographs, including 750 pictures of women posing nude, and 250 pictures of male members.

Other data included text messages, emails and Google searches.

The researchers were able to retrieve data from four phones revealing the previous owner's identity, and data in the picture files allowed them to establish exactly where pictures were taken.

They were able to retrieve the data because the "factory reset" options in the settings menu does not actually erase data from the phone, but instead deletes the index, which indicates where the material is kept.

Usually, that is enough to prevent access to data, but by using forensic tools that can be easily downloaded to access the storage data, the team was able to reconstruct the images.

Google responded that Avast used outdated smartphones and that their research did not "reflect the security protections in Android versions that are used by the vast majority of users".

Google recommends that all users enable encryption on their devices before using the factory reset button, to ensure that old data cannot be accessed.

Google said that this option had been available for three years, but was not switched on by default, meaning that many users unaware of its importance in data erasure will be vulnerable.

Apple, by contrast, has built in encryption for its hardware and firmware since the launch of the iPhone 3GS. The encryption cannot be switched off.

However, Alan Calder, founder of cybersecurity and risk management firm IT Governance, told the BBC that it was even possible to retrieve encrypted data.

"Google's recommended routine for protecting the data only makes it harder for someone to recover the data - it does not make it impossible," he said.

"If you don't want your data recovered, destroy the phone - and that has been standard security advice, in relation to telephones and computer drives, for a number of years. Any other 'solution' simply postpones the point at which someone is able to access your confidential data."