Feb 15 AT 12:23 PM Taylor Wimberly 24 Comments

Zvelo takes issue with latest Google Wallet update, says service still vulnerable


The Google Wallet drama is far from over. Late last night Google emailed me to inform everyone that they have restored the ability to issue new prepaid cards to the Wallet. Google also issued a fix that prevents an existing prepaid card from being re-provisioned to another user.

Literally an hour after Google notified me of their changes, the security firm Zvelo, who pointed out the first security vulnerability in Google Wallet, contacted us to say that they still take issue with Google’s comments.

Specifically, Google has stated, “To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.”

If you read Zvelo’s new article, you will see the disagreement. They claim that the latest Android OS available for the Samsung Galaxy Nexus is 4.0.2 (ICL53F), which uses a Linux kernel that has a known vulnerability (CVE-2012-0056) that allows a malicious app to gain root access.

More troubling, they say that physical access to a device is no longer required to access Google Wallet data, including the user’s PIN, by brute force cracking it as described in the original hack. They claim a malicious app could use the exploit to gain root access remotely (where there was none previously) and send Google Wallet data to a remote server.

Hopefully Google will address this vulnerability with another update to the Google Wallet app or with a firmware update to the Android OS. We have seen that Google was internally testing Android 4.0.4, but it has been rumored that Android 4.0.5 will be the next version that is pushed out to consumer devices in March.

As always, the best thing you can do to protect your Android device is to use a secure lock screen and only install apps from the official Android Market. Google has their own service called Bouncer that patrols the Android Market and removes malicious apps, but it never hurts to have an added layer of protection like Lookout Security.

It should be noted that we are not aware of any abuse of prepaid cards or the Wallet PIN resulting from these recent reports.

Google also reminds us that just like with any other credit card, you can get support when you need it. They provide toll-free assistance in case someone manages to make an unauthorized transaction or you lose your phone.

We have reached out to Google to see if they will address the latest claims of Zvelo and will update this story when we receive a response.

Via: Google Commerce

Source: Zvelo

Taylor is the founder of Android and Me. He resides in Dallas and carries the Samsung Galaxy S 4 and HTC One as his daily devices. Ask him a question on Twitter or Google+ and he is likely to respond. | Ethics statement

    Most Tweeted This Week

  • txbluesman

    I still have faith in this app and will keep using it. I lock screen, get all my apps from the “Android Market” and use Lookout, just as you noted Taylor. Thanks for this updated info.

    • professandobey

      Same here except that I use Avast!

  • KenG

    This bug is overblown. If you lose your phone, just like when you lose your physical wallet, the last thing you’re worried about is the cash in it. The bigger issue is replacing the phone and the information inside it. If you’ve lost your wallet, sure, you’d like the money back, but what really worries you is the lost credit cards and driver’s license and other ID that is a hassle and a bigger potential loss.

    • SuperAndroidEvo

      See but it’s not a bug it’s a flaw. That means that it can happen, so Google needs to address this. This is people’s money we are talking about. If Google wants Google Wallet to be mainstream this issue has to be treated seriously. People won’t embrace Google Wallet if this type of press keeps happening.

      I have faith in the app but I am not going to use it until this is fixed. There is risk in using Google Wallet right now so to me it’s a risk that I can live without. Better be safe than sorry. I will wait to use Google Wallet once it’s correct & works as it’s intended. To me working as intended means protection of private information also.

      Google will fix this & this will be just some growing pains!

      • Flyerwire

        Do you carry around a wallet with credit cards in it?

        Infinitely less secure and much more at risk then using Google Wallet.

        • AsakuraZero

          true plus is a hassle to order the cards again haha.

          anyways the good thing is…

          google is taking this seriously, atleast they are not overlooking it, they are not that bad as apple in patching up things like this.

          the bad thing,

          they patched it up once, and there are easy to spot flaws (for those who know their business ).

          but as the article says, COMMON SENSE helps a lot in security, in real life and in the technology one too

          • honourbound68

            That’s what I love about Google. They will fix problems. Their actions build good will for the end-user. I still use my GWallet too. I can’t wait for it to be accepted everywhere so I won’t have to bring my credit cards any longer.

        • M0nk

          Totally agree. Its very easy to clone a credit card. You only need to take 2 pictures to do online transactions and a magnetic card reader / writer to do it on a store. One of the most common crimes these days

        • SuperAndroidEvo

          No not really, there is no malware app for my actual wallet. I have had my wallet for years & no one has ever made a malware app to attack it. You know why? BECAUSE it can’t go online or download anything. It’s completely analog.

          Nice try though! lol

          Yeah INFINITELY less secure. Riiiiiiiiiight! lol

          If you are connected to the web, you are at risk! PLAIN & SIMPLE!

          • http://droidsamurai.blogspot.com DroidSamurai

            There’s something called a thief, or a robber. Malware attacks your app, a thief/robber attacks you.

          • SuperAndroidEvo

            This is for DroidSam,

            It’s going to take a lot more effort for a thief/robber to get my wallet because I can at least fight them off unless they have a gun or some weapon. Also if I do get robbed, the very next thing I am going to do is call my bank & credit card companies to stop all transactions.

            With malware the only way you will know if something went down is if you check your accounts on a daily basis or if you have a reputable credit card company that will send you an alert of any suspicious charges/purchases.

            So again it’s way easier to get your personal information, money or whatever online/the web then by the old school way of thievery/robbing.

            So nice try to you also! lol

            The fact of the matter is that cyber crimes are becoming more prevalent than actual old school types of thievery/robberies. Welcome to the 21st century. This isn’t your grandfathers century! Times have changed, if you really think the internet is safe you are a total fool. Cyber crimes are on the rise whether you want to believe it or not. That is FACT!

      • esper256

        There’s no risk. Your credit card info is stored in the secure element of the NFC chip. It is not even accessible to root processes on the phone. In order for a hacker to spend YOUR money you would have to have the following happen.

        A) Not set a lock screen password
        B) Install an OS build NOT from Google that allows apps with root privs to run.
        C) Lose your phone
        D) Hacker finds phone
        E) Hacker is savvy enough to try an exploit
        F) Hacker brute forces through 4 digit PIN (really, this is like saying someone broke into your house through a tin foil door. It’s meant to keep kids out of your wallet.)
        G) Through ALL THIS you fail to call Google Wallet and inform them of the loss of your phone.
        H) Hacker can spend money on your phone. Of course they should also be worried about getting caught using a stolen phone if you had reported it. So would they even risk trying it?

        • SuperAndroidEvo

          If there is no “risk” then why is this all over the news? The “risk” is real that is why we are even talking about this in the first place.

          You could not be any more wrong in your assessment on the issue.

          People have done this as reported, people have hacked into the CIA, Pentagon, the Army, and so on and so forth. You really don’t think that those same types of people could do some serious damage to Google Wallet if it ever got mainstream. That is why Google is trying to fix this because they want this to become mainstream.

          I want Google Wallet to work, but I want it to be as safe as it can be. I know nothing is 100% safe but it should be a little bit better protected. Once I feel like it is then I will most definitely use it. I have used it & it works extremely well. I just want to feel safer when I use it. I stopped because of all this news floating around! Better be safe than sorry.

          • esper256

            It’s over the news because news journalists are not security experts or software engineers. It’s in the news because someone published a video of brute force cracking a 4 digit PIN and journalists don’t understand what that means. To someone who is a software engineer. We shrug and go, “So?”. It’s like someone posting a video of someone climbing into a house through an open window. It’s not *meant* to be the layer of security. The OS is meant to be the layer of security.

            If you don’t thinks so remember this:

            Running underneath Android is the linux kernel with the linux security model, which is the same security running a huge number of services in datacenters around the world that house way more important things than your wallet app install (which doesn’t even contain your credit card info).

            It’s still way more secure than all mainstream payment methods. It’s just NOT an issue. I know you can’t see it. But it’s not. There was a real issue earlier with the pre-paid cards. That was fixed.

  • thekaz

    So what’s the newest version of wallet, so I can tell if my g-nex updated correctly..?

    • txbluesman

      Version 1.1-R48v4

  • greeny42

    Used wallet yesterday. Not afraid.

  • jsweetser2

    This ‘it’s possible’ stuff is getting slightly out of hand. Is it possible to download a file to my phone which could send information to some guy who uses it to root my phone and wait fo rme to use my $10 pre paid wallet account so he can steal it away and laugh out loud?


    Am i worried about it?

    no. First off, it’s Google. If any significant damage came from a product they ran, i’m pretty sure they’d recover said damage back to me.

    Second, this technology is still so miniscule in it’s application here in America that no sane person would even take the time to put the effort into cracking Google Wallet to make any money. Go to Asia on the other hand, where NFC has been around a long time to the point where even vending machines have the technology, it could be more of an issue.

  • karim

    $100 says the iPhone 5′s NFC payment system is called iWallet

  • spazby

    Not worried, as many have noted, a regular wallet is far less secure than this one…

  • Max.Steel

    I wouldn’t be surprised if Zvelo is being secretly sponsored/funded by Apple to taint Wallet. They are probably planning on releasing their own version of Wallet in the near future.

    • professandobey

      Or Zvelo is connected to Isis, and this is the carriers throwing a fit that their NFC monopoly is facing competition.

      • Joshua Rubin

        Very amusing, I promise, I am not trying to hurt wallet, just make it as good as it can be. I am a big Google and Android fan. Definitely not connected to Isis either, but will certainly be looking at their product when it is available.


        • Joshua Rubin

          I am happy to take questions about this issue too. Some of the commentors here are spot on about the reporting. Sometimes it has been very good, other times the reporters miss the security implications.