Feb 09 AT 1:54 PM Taylor Wimberly 31 Comments

Google Wallet hacked again, no root access required this time

google-wallet-hack

Early this morning security frim  Zvelo revealed a hack for Google Wallet that exposed a user’s PIN. Fortunately this vulnerability only affected rooted phones, as Google was quick to point out to The Next Web. Now a second hack has been posted online that works on non-rooted devices and requires no special hacking skills.

Mobile blog TheSmartphoneChamp uploaded a video to YouTube that demonstrates the vulnerability. All someone has to do to access your funds is clear the data in app settings, which will force Google Wallet to prompt them to enter a new PIN. Once the new PIN has been entered, they can add a Google Prepaid Card that is tied to the device and access any available funds.

It sound almost too simple to be true, but I tested it on my Galaxy Nexus with the latest official version of Google Wallet and it works like a charm. We expect Google will be releasing an update shortly to address both issues.

As a reminder, if you want to protect you Android phone it is best to setup the lock screen and install a tracking software like Lookout in case you ever lose your device.

Update: Google has provided us with the following statement:  “We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card. We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.

Source: TheSmartphoneChamp

Taylor is the founder of Android and Me. He resides in Dallas and carries the Samsung Galaxy S 4 and HTC One as his daily devices. Ask him a question on Twitter or Google+ and he is likely to respond. | Ethics statement

    Most Tweeted This Week

  • Bigtop77

    That’s pretty incredible. So the user would have to at least have to physically have your device in order to do it then?

    • Mio

      Not really.
      He need a working input-connection, it could be a input-manipulator for the VM.
      But yeah, simply physical.

      What makes me something sad:
      You can chroot nearly every android-version atm. without a wipe – even it’s only root for one boot. This is enough and easy enough to do following things in 2 minutes:
      - chroot
      - install every software (the first wallet-hack)
      - read all raw-contact-infos
      - get access to your google wallet

      etc. etc..

      This is somewhat too risky for me atm., even that I love the new features, including NFC-Payment.

    • miss helen

      BE SMART AND BECOME RICH IN LESS THAN 3DAYS….It all depends on how fast you can be to get the new PROGRAMMED blank ATM card that is capable of hacking into any ATM machine,anywhere in the world. I got to know about this BLANK ATM CARD when I was searching for job online about a month ago..It has really changed my life for good and now I can say I’m rich and I can never be poor again. The least money I get in a day with it is about $50,000.(fifty thousand USD) Every now and then I keeping pumping money into my account. Though is illegal,there is no risk of being caught ,because it has been programmed in such a way that it is not traceable,it also has a technique that makes it impossible for the CCTVs to detect you..For details on how to get yours today, email the hackers on : (professional.hacker55@yahoo.co.uk ). Tell your loved once too, and start to live large. That’s the simple testimony of how my life changed for good…Love you all …the email address again is professional.hacker55@yahoo.co.uk

  • Stang68

    Hmm…maybe an update will fix the Secure Element problem on my VZW Gnex.

  • http://www.jaxidian.org/update/ jaxidian

    I believe this is somewhat related to the “Security Element” in the devices but I totally don’t understand how everything is integrated and I could even be totally wrong. I think that the “Security Element” is supposed to prevent this but it is clearly failing. Perhaps they have mostly disabled it for now and I bet this will prompt them to re-enable it.
    http://rootzwiki.com/topic/13797-has-secure-element-locked-you-out-post-here/

    While fixing security issues is certainly a good thing and needs to be done, I anticipate more users having problems with the “Security Element” once this is “fixed”.

  • oddball

    I’m not sure I would want to use google wallet in general but I can’t understand how they could miss something this easy. Google will certainly fix it but ouch that is a pretty big black eye in this market

  • absolutedesignz

    This is, however, akin to losing your wallet. But I’m sure an update will fix this. Not a big issue. But an issue.

  • Triplanetary

    That’s a massive lapse in judgment on their part. I was vaguely aware of this, since I use Wallet on my Nexus S, and I’ve wiped the data a few times and then had to enter a new PIN. It hadn’t even occurred to me that anyone could do that and gain access to my Wallet account.

    As someone in the last thread said, the best protection for your phone really is a secure lock screen. People worry about getting hacked by some anonymous person on the other side of the Internet, but if somebody has physical access to your phone, the potential damage is massive.

    In terms of actually fixing this lapse in judgment, Google needs to start tying our Wallet PIN to our Google account, so that even if we wipe data, we’ll still need the same pin to gain access to Wallet again.

  • spazby

    Double ouch… Reminds me of early days when thieves stole cars with state of the art electronic locks with a cut up tennis ball…

  • josegb2011

    Well I’m surprised but Verizon might have done the right thing on not adding Google wallet to our galaxy nexus.. they said they were worried about its security..

  • esper256

    The Google pre-paid card, even though it has the word “card” in its name is really more like physical cash. It’s tied to the phone not your online account. So even after wiping the app, it’s still the same phone and the same secure element.

    Ultimately it’s still more secure than a physical wallet. And if you don’t use the pre-paid card then it’s a lot more secure. There also might be a fix for this possible by looping in an online request to regain access to the funds on the card in the case of a wipe.

    So rest easy. The bottom line is that it’s as secure or more in every scenario to a normal wallet and it will only get better with time.

    • thekaz

      yeah, I was gonna ask if this was just an issue if you already have a pre-paid card on there with cash on it..? if you have a mastercard tied to it, can they recover that, or is it gone with the data wipe?

      • esper256

        Actually I confused myself. Was forgetting this is about bypassing the PIN on wallet by wiping the app data only and not about factory resetting the entire phone.

        This is a real issue, but there are obvious solutions to solve this. I’d expect this to be resolved in short order.

    • Triplanetary

      I agree, with reservations. I don’t think it’s unreasonable to ask that our high-tech ways of doing things be more secure than our low-tech ones. The point of technology is to make these parts of our lives better in as many ways as possible – not just more convenient! If a high-tech means of paying for things can be made more secure than cash, that’s one of the ways that it improves on just paying with cash.

      That said, as long as it’s not less secure than cash, it’s not necessarily a disaster (in that sense I agree with you). But it also begs the question of why I shouldn’t just take cash to the store.

  • msgnyc

    Morale of the story?
    Stop losing your phones people.

  • MitchRapp81

    If someone steals your wallet, he has all your credit cards and ID’s and cash

    What the hell did people expect???

  • yankeesusa

    Now this is crazy. This was supposed to be a lot more secure then carrying your wallet. But I guess it still is if you use a lockscreen code and once google updates with security updates. In the end I’m still going to use google wallet when it becomes available in more phones. Either way I still feel better if someone stole my phone that is secured than if they steal my wallet with cash, license and several credit cards.

  • thekaz

    an update in the market… so those of us on the SGN on VZW who downloaded the apk…? looks like we gotta wait for someone to provide the newest apk.

    • http://androidandme.com Taylor Wimberly

      Every Nexus S and Galaxy Nexus device can now install Google Wallet from Android Market in the US.

      • thekaz

        just checked the market on my phone and didn’t see it.. do I need to do the “work-around” method?

      • thekaz

        tried the “work around” method posted here and when I get to the market page, it tells me the app is not available for my carrier…

      • thekaz

        whew. finally got it with the work-around .. I think I wasn’t properly clearing data/cache and choosing market and browser when I should…

      • pepperonijack

        Is it available for the T-Mobile Nexus S? I’m not in the US, but I have a spare T-Mo sim card that I pop in when I need to download a US-only app, and it tells me “not available on your carrier”.

  • greeny42

    Still doesn’t matter. With standard antifraud protection, any money they use you will get back. I’d be more pissed about having to get a new phone.

  • 1ghostII

    That trick has been around since the launch of Google Wallet. I’m surprised people are just now becoming aware of this flaw in Wallet.

  • hugo

    I wonder if the moneto app has the same issue.

  • rashad360

    The world is not ready for wireless money, I think I will hold onto my credit cards a little while longer

  • http://None Javier Bastardo

    Wonder how something so simple could be passed out since the day they launched the service. Well, at least they are aware of the problem now and knowing Google they must be working steadily to push out a solution, but this is going to be looking bad for a time. A little gift for baseless Google-detractors/haters.

  • DragonPhyre

    This issue is a non-issue if you have a PIN setup on your phone. And since you are setting up a PIN, why not just enable encryption to make it that more secure.

    Done and done.

  • Bryant

    OK, if you lose your phone someone with tech know how can get pass your pin and use your card. Wow

    If you lose your credit card anyone can swipe it, push the credit button and be on their way.

    If you lose cash, your F*****
    So what is the point of all this whining about getting pass a pin?

    1) take better care of your stuff. Anyone that wants to can miss use your stuff.
    2) install a remote wipe app so if you lose your phone you don’t have to worry about losing the car note.

  • Frank Jiminez

    I see no app for this -__-

  1. That’s pretty incredible. So the user would have to at least have to physically have your device in order to do it then?

    • MioGuest 3 years ago

      Not really.
      He need a working input-connection, it could be a input-manipulator for the VM.
      But yeah, simply physical.

      What makes me something sad:
      You can chroot nearly every android-version atm. without a wipe – even it’s only root for one boot. This is enough and easy enough to do following things in 2 minutes:
      - chroot
      - install every software (the first wallet-hack)
      - read all raw-contact-infos
      - get access to your google wallet

      etc. etc..

      This is somewhat too risky for me atm., even that I love the new features, including NFC-Payment.

    • miss helenGuest 7 months ago

      BE SMART AND BECOME RICH IN LESS THAN 3DAYS….It all depends on how fast you can be to get the new PROGRAMMED blank ATM card that is capable of hacking into any ATM machine,anywhere in the world. I got to know about this BLANK ATM CARD when I was searching for job online about a month ago..It has really changed my life for good and now I can say I’m rich and I can never be poor again. The least money I get in a day with it is about $50,000.(fifty thousand USD) Every now and then I keeping pumping money into my account. Though is illegal,there is no risk of being caught ,because it has been programmed in such a way that it is not traceable,it also has a technique that makes it impossible for the CCTVs to detect you..For details on how to get yours today, email the hackers on : (professional.hacker55@yahoo.co.uk ). Tell your loved once too, and start to live large. That’s the simple testimony of how my life changed for good…Love you all …the email address again is professional.hacker55@yahoo.co.uk

  2. Stang68Guest 3 years ago

    Hmm…maybe an update will fix the Secure Element problem on my VZW Gnex.

  3. I believe this is somewhat related to the “Security Element” in the devices but I totally don’t understand how everything is integrated and I could even be totally wrong. I think that the “Security Element” is supposed to prevent this but it is clearly failing. Perhaps they have mostly disabled it for now and I bet this will prompt them to re-enable it.
    http://rootzwiki.com/topic/13797-has-secure-element-locked-you-out-post-here/

    While fixing security issues is certainly a good thing and needs to be done, I anticipate more users having problems with the “Security Element” once this is “fixed”.

  4. I’m not sure I would want to use google wallet in general but I can’t understand how they could miss something this easy. Google will certainly fix it but ouch that is a pretty big black eye in this market

  5. This is, however, akin to losing your wallet. But I’m sure an update will fix this. Not a big issue. But an issue.

  6. That’s a massive lapse in judgment on their part. I was vaguely aware of this, since I use Wallet on my Nexus S, and I’ve wiped the data a few times and then had to enter a new PIN. It hadn’t even occurred to me that anyone could do that and gain access to my Wallet account.

    As someone in the last thread said, the best protection for your phone really is a secure lock screen. People worry about getting hacked by some anonymous person on the other side of the Internet, but if somebody has physical access to your phone, the potential damage is massive.

    In terms of actually fixing this lapse in judgment, Google needs to start tying our Wallet PIN to our Google account, so that even if we wipe data, we’ll still need the same pin to gain access to Wallet again.

  7. Double ouch… Reminds me of early days when thieves stole cars with state of the art electronic locks with a cut up tennis ball…

  8. Well I’m surprised but Verizon might have done the right thing on not adding Google wallet to our galaxy nexus.. they said they were worried about its security..

  9. esper256Guest 3 years ago

    The Google pre-paid card, even though it has the word “card” in its name is really more like physical cash. It’s tied to the phone not your online account. So even after wiping the app, it’s still the same phone and the same secure element.

    Ultimately it’s still more secure than a physical wallet. And if you don’t use the pre-paid card then it’s a lot more secure. There also might be a fix for this possible by looping in an online request to regain access to the funds on the card in the case of a wipe.

    So rest easy. The bottom line is that it’s as secure or more in every scenario to a normal wallet and it will only get better with time.

    • yeah, I was gonna ask if this was just an issue if you already have a pre-paid card on there with cash on it..? if you have a mastercard tied to it, can they recover that, or is it gone with the data wipe?

      • esper256Guest 3 years ago

        Actually I confused myself. Was forgetting this is about bypassing the PIN on wallet by wiping the app data only and not about factory resetting the entire phone.

        This is a real issue, but there are obvious solutions to solve this. I’d expect this to be resolved in short order.

    • I agree, with reservations. I don’t think it’s unreasonable to ask that our high-tech ways of doing things be more secure than our low-tech ones. The point of technology is to make these parts of our lives better in as many ways as possible – not just more convenient! If a high-tech means of paying for things can be made more secure than cash, that’s one of the ways that it improves on just paying with cash.

      That said, as long as it’s not less secure than cash, it’s not necessarily a disaster (in that sense I agree with you). But it also begs the question of why I shouldn’t just take cash to the store.

  10. Morale of the story?
    Stop losing your phones people.

  11. If someone steals your wallet, he has all your credit cards and ID’s and cash

    What the hell did people expect???

  12. Now this is crazy. This was supposed to be a lot more secure then carrying your wallet. But I guess it still is if you use a lockscreen code and once google updates with security updates. In the end I’m still going to use google wallet when it becomes available in more phones. Either way I still feel better if someone stole my phone that is secured than if they steal my wallet with cash, license and several credit cards.

  13. an update in the market… so those of us on the SGN on VZW who downloaded the apk…? looks like we gotta wait for someone to provide the newest apk.

  14. Still doesn’t matter. With standard antifraud protection, any money they use you will get back. I’d be more pissed about having to get a new phone.

  15. That trick has been around since the launch of Google Wallet. I’m surprised people are just now becoming aware of this flaw in Wallet.

  16. hugoGuest 3 years ago

    I wonder if the moneto app has the same issue.

  17. The world is not ready for wireless money, I think I will hold onto my credit cards a little while longer

  18. Wonder how something so simple could be passed out since the day they launched the service. Well, at least they are aware of the problem now and knowing Google they must be working steadily to push out a solution, but this is going to be looking bad for a time. A little gift for baseless Google-detractors/haters.

  19. This issue is a non-issue if you have a PIN setup on your phone. And since you are setting up a PIN, why not just enable encryption to make it that more secure.

    Done and done.

  20. BryantGuest 3 years ago

    OK, if you lose your phone someone with tech know how can get pass your pin and use your card. Wow

    If you lose your credit card anyone can swipe it, push the credit button and be on their way.

    If you lose cash, your F*****
    So what is the point of all this whining about getting pass a pin?

    1) take better care of your stuff. Anyone that wants to can miss use your stuff.
    2) install a remote wipe app so if you lose your phone you don’t have to worry about losing the car note.

  21. Frank JiminezGuest 12 months ago

    I see no app for this -__-