(picture from Csmonitor.com)
Red Alert for anyone using Google Wallet on their rooted Android device! Security researchers at Zvelo have discovered a vulnerability in Google Wallet that can pretty easily retrieve your precious PIN number, and have already thrown together a cracker app and a video to show how easily your Google Wallet PIN can be revealed. Google has directly responded stating that the discovery is correct, but as it only affects rooted users, anyone with a rooted phone should NOT install Google Wallet.
Whoa! Apparently the vulnerability was discovered after digging through Google Wallets code and using open source resources from Google to reveal its content. The end result: unique user IDs, Google account information, and the PIN stored as a SHA256 hex-encoded string. Since we're only talking about a 4 digit PIN number here, a simple brute force attack that only involves 10,000 calculations can pretty easily decode it, which you can see in the video at the bottom.
Google is reportedly taking the matter very seriously, but its attempts to fix the issue are being slowed down by the need to work with banks directly. This is essential to address the issue, since changing the way the PIN is stored can have an impact on which security agency is responsible for securing it.
In order to protect yourself against this risk, Zvelo advises that you refrain from rooting your phone, enable your lockscreen, disable USB debugging, and to enable Full Disk Encryption. Keeping your device up to date with software updates is also essential.
Googles direct response to this subject was:
"The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.
We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone“.
So there you have it folks. Straight from the Big G and the security company that discovered the flaw: "If you have a rooted phone, DON'T INSTALL GOOGLE WALLET. If you have root and Google Wallet running, uninstall it ASAP“.
Google is reportedly working on a fix to address this issue, and we'll keep you posted as we receive more information. Until then, check the video below to see how very easy it was to retrieve a Google Wallet PIN on a rooted phone. Seriously guys..as you can see in this video, this PIN can be retrieved in under a minute, so if your rooted and running this, please stay safe and uninstall it.