Android Hack Exposes Google Wallet PIN On Demand


Like most hacks, this discovery of a way to find an Android phone’s Google Wallet PIN requires a lot of initial access but is disturbing nonetheless. Google knows about the hack and is repairing it. Discovered by Joshua Rubin of Zvelo, the hack is one of the most interesting attacks on Google Wallet so far.

In short, this hack allows access to credit card data and purchase history and could, in theory, allow a hacker to use a Google Wallet freely in the wild. However, it does require the hacker to have unfettered root access to the phone. Using a small program, the exploit simply brute-forces a file found in the phone, thereby revealing the PIN and unlocking the wallet.

Again, the hack requires a rooted Android phone – a state that is trivial to achieve if your phone is stolen – and a bit of know how. Rubin recommends:

Do Not “Root” the Cell Phone – Doing so will be one less step for a thief.
Enable Lock Screens – “Face Unlock,” “Pattern,” “PIN” and “Password” all increase physical security to the device. “Slide,” however, does not.
Disable USB Debugging – When enabled, the data on mobile devices can be accessed without first passing a lock screen challenge unless Full Disk Encryption is also enabled.
Enable Full Disk Encryption – This will prevent even USB Debugging from bypassing the lock screen.
Maintain Device Up-To-Date – Ensure the device is current with the latest official software. Unfortunately, users are largely at the behest of their carrier and cell phone manufacturer for this. Using only official software and keeping devices up-to-date is the best way to minimize vulnerabilities and increase security overall.

Google recommends that anyone with Google Wallet call their toll-free support line at 855-492-5538 to ask that their prepaid card be disabled. They also recommend setting a lock screen.

UPDATE – Google responded, reminding folks that they don’t support Google Wallet on rooted phones and that:

“The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN. We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.”