Feb 09 AT 9:42 AM Nick Gray 26 Comments

Google Wallet vulnerability easily reveals user’s PIN on devices that are rooted

google-wallet-hack

Google Wallet has been hacked! Wallet Cracker, an application developed by Zvelo, is able to use brute-force attacks to reveal the Google Wallet PIN number which keeps the application secure. While this vulnerability is as serious as they come, it only affects Android handsets which have been rooted.

As soon as the vulnerability was discovered, Zvelo released its findings to the Google Wallet team who “agreed to work quickly to resolve it.”  We do not know when Google Wallet will be updated to fix the PIN vulnerability, but we suggest you take some additional precautions to make sure your handset is secure just in case it falls into the wrong hands. Those of us who have been victims of credit card fraud know how quickly things can spiral out of control.

Google issued a response to The Next Web that said they are aware of the issue. We don’t know if Google is working on a fix yet, but suggested that users not install Google Wallet on rooted devices.

The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.

We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.Google

How many of you are currently using Google Wallet on a rooted device?

Source: The Next Web

Nick is a tech enthusiast who has a soft spot for HTC and its devices. He started HTCsource.com (the first HTC blog) back in 2007 and later joined the Android and Me family in the summer of 2010.

    Most Tweeted This Week

  • amgala

    Such security breaches are always a risk with rooted phones. But it’s worth the risk!

  • GeauxLSU

    Everyone should use a screen lock, even if you don’t have anything to hide.

    • Stigy

      Agreed — screen lock is the best security against most root vulnerabilities right now.

  • somebody

    Couldn’t a potential, “hacker” just root an unrooted phone to gain access? Im rooted and have Google wallet, but im not worried.

    • http://htcsource.com Nick Gray

      That’s what I originally thought too, but according to Google’s’ statement “To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.”

      Anyone care to prove them wrong?

      • delinear

        Yeah, pretty sure all current mechanisms for rooting require the equivalent of a factory restore on the phone. I’m assuming from Google’s comment that that’s enough to wipe the relevant information (i.e. nothing useful is stored in the user’s personal data area and preserved after the process).

        • Triplanetary

          Yes and no. Some devices can be rooted without wiping the phone – it essentially just requires putting the su file in the proper location – but Google’s statement is true for every device that currently supports Google Wallet, ie, the Nexus S and Galaxy Nexus. Rooting one of those phones requires unlocking the bootloader, and for this very reason (security), unlocking the bootloader automatically performs a factory reset on the phone.

          So yeah, what Google said. Not universally true, but in practice true.

  • http://htcsource.com Nick Gray

    I’m still using my G2 as my daily driver, but I’ve rooted every Android phone I have owned. To me, root access is more important than Google Wallet. Then again, I could change my mind once I get a phone which supports NFC.

  • Anton Spaans

    When you use google wallet, you’d have to look at your phone as a wallet. If you lose your wallet (or your phone with google wallet), you lose money.

    However, your regular wallet doesn’t have any lock at all.. no hacking needed, just open it. The money in your regular wallet is likely lost unless it’s found and returned to you.

    The money in your google wallet could be retrieved again by you when you contact the creditcard provider of the card(s) tied to your google wallet.

    As long as you don’t have too much money on your google wallet’s credit cards, the risk is minimal. But it is always good to be aware of these security issues.

  • spazby

    Ouch google

  • raichleb

    Would someone hack mine please? I installed it at Christmas while visiting my son in Virginia. But now that I’m back in south Alabama, and there is no place to use it, I can’t remember my PIN.

    • http://droidsamurai.blogspot.com DroidSamurai

      You can just reset the data. You will be asked to re-activate the whole wallet from scratch and enter a new PIN.

  • Jorge Vieira

    uh bad but not that bad people choose to ROOT there phones these are the consequences.

  • http://droidsamurai.blogspot.com DroidSamurai

    Even without this vulnerability, I found it insecure to punch in my PIN in public. People behind me can clearly see what I enter. Couldn’t Google make it to do a Face Unlock?

    • http://htcsource.com Nick Gray

      Because we all know how secure face unlock is.

  • curiousgeorge

    I wonder if the moneto app has the same issue.

  • KennyL

    Meh…I think this is not an issue for most people. Just install a mobile security app, lock your phone and don’t lose it.

  • thekaz

    I am pretty sure my checkbook (yeah, I still have one of those) has a vulnerability, as well. If someone steals that, or I leave it somewhere, I am screwed…

  • yankeesusa

    This is not good but its not as bad as it looks. Most people arent rooted and if your rooted your most likely smart enough to use a lock on your phone and have other features for security.

  • greeny42

    My real wallet has root access (I can customize it at will). That wallet is also vulnerable to a brute force attack. If taken, they’ll get all my cash, credit cards, and important IDs! However, I’m not too afraid to stop carrying that around. Why is this different?

  • honourbound68

    wasn’t there a story a few months back about verizon not wanting to support google wallet? i wonder if they “knew” about this?

    • thekaz

      you are giving Verizon too much credit for caring about their customers.

  • Max.Steel

    You root your phone, tough shit. Those are the consequences.

    • Triplanetary

      Please. That’s like dismissing the danger of car accidents by saying, “You drive a car, tough shit. Those are the consequences.” Technically true, but it’s a meaningless statement. Yes, you should absolutely consider the potential risks and consequences before you root your phone (as you should before you drive a car). But it wouldn’t make any sense to discourage companies from making cars safer by just saying, “Bah, they knew the risks before they get into a car.”

  • Nathan D.

    good thing I don’t use it yet, hopefully this can get patched

  • http://None Javier Bastardo

    Even if I had the phone, there’ s no place to use the service on my country, so I’m happy they find out about this now, I’ll just have to wait my 5 years to get the phone here, and another 25 for the service to be available on my country :-/

  1. Such security breaches are always a risk with rooted phones. But it’s worth the risk!

  2. Everyone should use a screen lock, even if you don’t have anything to hide.

  3. somebodyGuest 3 years ago

    Couldn’t a potential, “hacker” just root an unrooted phone to gain access? Im rooted and have Google wallet, but im not worried.

    • That’s what I originally thought too, but according to Google’s’ statement “To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.”

      Anyone care to prove them wrong?

      • Yeah, pretty sure all current mechanisms for rooting require the equivalent of a factory restore on the phone. I’m assuming from Google’s comment that that’s enough to wipe the relevant information (i.e. nothing useful is stored in the user’s personal data area and preserved after the process).

        • Yes and no. Some devices can be rooted without wiping the phone – it essentially just requires putting the su file in the proper location – but Google’s statement is true for every device that currently supports Google Wallet, ie, the Nexus S and Galaxy Nexus. Rooting one of those phones requires unlocking the bootloader, and for this very reason (security), unlocking the bootloader automatically performs a factory reset on the phone.

          So yeah, what Google said. Not universally true, but in practice true.

  4. I’m still using my G2 as my daily driver, but I’ve rooted every Android phone I have owned. To me, root access is more important than Google Wallet. Then again, I could change my mind once I get a phone which supports NFC.

  5. Anton SpaansGuest 3 years ago

    When you use google wallet, you’d have to look at your phone as a wallet. If you lose your wallet (or your phone with google wallet), you lose money.

    However, your regular wallet doesn’t have any lock at all.. no hacking needed, just open it. The money in your regular wallet is likely lost unless it’s found and returned to you.

    The money in your google wallet could be retrieved again by you when you contact the creditcard provider of the card(s) tied to your google wallet.

    As long as you don’t have too much money on your google wallet’s credit cards, the risk is minimal. But it is always good to be aware of these security issues.

  6. Would someone hack mine please? I installed it at Christmas while visiting my son in Virginia. But now that I’m back in south Alabama, and there is no place to use it, I can’t remember my PIN.

  7. uh bad but not that bad people choose to ROOT there phones these are the consequences.

  8. Even without this vulnerability, I found it insecure to punch in my PIN in public. People behind me can clearly see what I enter. Couldn’t Google make it to do a Face Unlock?

  9. curiousgeorgeGuest 3 years ago

    I wonder if the moneto app has the same issue.

  10. Meh…I think this is not an issue for most people. Just install a mobile security app, lock your phone and don’t lose it.

  11. I am pretty sure my checkbook (yeah, I still have one of those) has a vulnerability, as well. If someone steals that, or I leave it somewhere, I am screwed…

  12. This is not good but its not as bad as it looks. Most people arent rooted and if your rooted your most likely smart enough to use a lock on your phone and have other features for security.

  13. My real wallet has root access (I can customize it at will). That wallet is also vulnerable to a brute force attack. If taken, they’ll get all my cash, credit cards, and important IDs! However, I’m not too afraid to stop carrying that around. Why is this different?

  14. wasn’t there a story a few months back about verizon not wanting to support google wallet? i wonder if they “knew” about this?

  15. You root your phone, tough shit. Those are the consequences.

    • Please. That’s like dismissing the danger of car accidents by saying, “You drive a car, tough shit. Those are the consequences.” Technically true, but it’s a meaningless statement. Yes, you should absolutely consider the potential risks and consequences before you root your phone (as you should before you drive a car). But it wouldn’t make any sense to discourage companies from making cars safer by just saying, “Bah, they knew the risks before they get into a car.”

  16. good thing I don’t use it yet, hopefully this can get patched

  17. Even if I had the phone, there’ s no place to use the service on my country, so I’m happy they find out about this now, I’ll just have to wait my 5 years to get the phone here, and another 25 for the service to be available on my country :-/