Researchers have discovered that data can be recovered after a factory reset. The file itself isn’t actually overwritten — the system just throws away all the info on the file, essentially tossing it in with whatever free space you have.
What can you do to prevent someone from recovering your data?
Encrypting your Android Phone is the strongest way to prevent its data from being recovered. Devices running Android 6.0 Marshmallow are required (except maybe some low-end devices) by Google to have mandatory encryption for maximum security.
Devices running Android 5.0 Lollipop or lower (and supports encryption), it’s highly recommended you turn on encryption (Settings > Security > Encrypt phone) to scramble its data before doing a factory reset. (The setting location may vary on different devices.)
Then factory reset it