Google responds to Wallet vulnerability, recommends not installing on rooted devices
Yesterday, a Google Wallet vulnerability was announced. The vulnerability allows an attacker to quickly crack the 4 digit Google Wallet PIN that is used to protect users against unauthorized purchases. Cracking one’s Google Wallet password is only possible if two things are true:
- A phone must be rooted
- A phone must not have some sort of lock screen security enabled
If both the above pre-requisites are true, then an attacker needs to physically have access to your phone and can install an application that reveals your 4-digit Google Wallet PIN. The attacker can then use your phone and Google Wallet to make purchases.
While Google is aware of the issue and are presumably working on a resolution, they offered the following statement to The Next Web:
The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.
We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.
Basically, Google is recommending that you not use Google Wallet on rooted devices, if you’re that paranoid. If it really bothers you that much, then you should take Google’s recommendation. For the rest of you running stock Android and using Google Wallet, you have nothing to worry about.
Source: The Next Web