The Google Wallet drama is far from over. Late last night Google emailed me to inform everyone that they have restored the ability to issue new prepaid cards to the Wallet. Google also issued a fix that prevents an existing prepaid card from being re-provisioned to another user.
Literally an hour after Google notified me of their changes, the security firm Zvelo, who pointed out the first security vulnerability in Google Wallet, contacted us to say that they still take issue with Google’s comments.
Specifically, Google has stated, “To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.”
If you read Zvelo’s new article, you will see the disagreement. They claim that the latest Android OS available for the Samsung Galaxy Nexus is 4.0.2 (ICL53F), which uses a Linux kernel that has a known vulnerability (CVE-2012-0056) that allows a malicious app to gain root access.
More troubling, they say that physical access to a device is no longer required to access Google Wallet data, including the user’s PIN, by brute force cracking it as described in the original hack. They claim a malicious app could use the exploit to gain root access remotely (where there was none previously) and send Google Wallet data to a remote server.
Hopefully Google will address this vulnerability with another update to the Google Wallet app or with a firmware update to the Android OS. We have seen that Google was internally testing Android 4.0.4, but it has been rumored that Android 4.0.5 will be the next version that is pushed out to consumer devices in March.
As always, the best thing you can do to protect your Android device is to use a secure lock screen and only install apps from the official Android Market. Google has their own service called Bouncer that patrols the Android Market and removes malicious apps, but it never hurts to have an added layer of protection like Lookout Security.
It should be noted that we are not aware of any abuse of prepaid cards or the Wallet PIN resulting from these recent reports.
Google also reminds us that just like with any other credit card, you can get support when you need it. They provide toll-free assistance in case someone manages to make an unauthorized transaction or you lose your phone.
We have reached out to Google to see if they will address the latest claims of Zvelo and will update this story when we receive a response.