Share this Story

Google Comments on Google Wallet Root Vulnerability, Another Supposed Non-Root Security Issue Arises

If you missed the story from yesterday about a security vulnerability in Google Wallet for rooted users, please check it out here. For those that are up to speed, we wanted to make sure you saw Google’s statement to The Next Web which acknowledges that this issue exists on rooted phones, only. Not to downplay yesterday’s report, but again, this really only applies to those that root their phone, leave it unprotected up front at the lock screen, and then lose it or have it stolen. The chances of all three of those things happening are pretty slim, let alone expecting the person that steals it to know about zVelo’s secret PIN-collecting app. Just sayin’.

Here is the full statement:

The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.

We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.

Issue addressed. Although, we aren’t seeing any mention of a fix as was suggested by zVelo yesterday.

In related news, another story has popped up today which suggests that Google Wallet is vulnerable even if you aren’t rooted. In a way, this report is correct. If you have Wallet installed, you can open its application settings page and “Clear data” on it. The next time you open it, you will be asked to set up the app again including a new PIN. If they then select a Google Prepaid card, it will add the card that was previously associated with the Gmail account selected and the device’s ID. So in theory, someone could steal your phone, clear data on the app, re-launch it and access the funds you have added to a Google Prepaid Card. Sounds bad, right?

For the third time, this only affects those that have had their phone stolen or lost and have then chosen to leave their phone without protection up front. But, we should also point out that clearing data on the app won’t allow the thief to access any of your credit cards that have been previously added. If data is cleared on the app, all credit cards need to be set back up as you did from the beginning. So the only thing vulnerable here is Google Prepaid funds that are attached to your Google account.

And remember, that each time you set up Wallet and add a prepaid card, an email is sent to your Gmail account. So if you lose your phone and see a new Wallet email, you would want to call and have the service shut down on your phone so that your funds are preserved. Most of you would probably do this anyway if your phone was jacked.

I know it sounds like I am downplaying both issues, but they really aren’t all that scary and are issues that would arise if any phone was stolen, let alone one that has access to Google Wallet. They make great headlines though.

Cheers Nyko!

  • Business Research  

    I admit with your Blog and I will be back to examine it more in the future so please keep up your act. conducting business

  • Business Research  

    Thank you for taking time to share it with the readers, I am more than happy to have come across it. Keep up the good work. financecourses

  • Business Research  

    This is site to spent time on .I just stumbled upon your chatty blog and desired to say that I have really enjoyed reading your very well written blog posts. I will be your frequent visitor, that’s for sure. automotiveplanet

  • nhlfanatics

    Hi,if you likeBlues JerseyYou can come here have a look.thank you very
    much!Type your comment here.

  • Check out my review of google wallet after 2 weeks of implementing the service here: http://stackoverflow.com/questions/9322519/is-it-too-soon-to-start-implementing-google-wallet

  • Shugaman

    I just laugh…..you have a quality Nexus on big red….and people are crying about G Wallet….seriously….if you “NEED” it that bad, drop big red and go to those other *hitty cheap carriers and get the “pure google with wallet” you have to have…….This is very simple you either cant afford big red or have bad credit and cant get big red. Otherwise you are just dumb to not get big red and their network……

  • Shugaman

    everybody is making jokes now but it is funny, I remember all of you pissed at big red about G wallet on the VZW Nex……now look….Said it all along android is cool and all, but you seriously trust google/android to make “SECURE” mobile g wallet payments? Seriously? Good luck with that….

    Went to a casino a few weeks ago with my Google phone all the sudden every f&^%ing ad on my phone was about gambling and casinos after that. Android is cool people dont make it the end all be all.

    Use smartphones smartly…..some get that and some dont….for those who dont good luck with having to have Google Wallet to be happy….I love my big Red Galaxy Nexus with no Wallet just fine!

    Just saying…..

    • Yourmom

      those ads are because you checked a box that allows google to detect your location and base ads off of that.

  • Chris G

    i am stock rooted for wifi tether which i use in emergencies or last resort. i will not undo that. i did install wallet the other day when first released as i believe in the tech.

    most here are saying to get a remote wipe. doesnt the phone have to be powered on for that? smart phone batteries don’t last a day even so the window is tight even if you lost a fully powered device.

    willing to be proven wrong here

    • TC Infantino

      I am not sure about all the different security apps, but Lookout will work once the phone is powered on again.  If your phone is stolen and you use your computer to lock and wipe the phone, if the phone is off it won’t do anything until it is powered back on and has a network connection.  Once the stolen phone receives connection the Lookout app will connect to their servers and receive the command to lock and wipe the phone. 

  • They need to pull this app ASAP. This is BAAAAAAAAAAAAAAAAD

  • If you’ve lost your phone, its pretty easy for someone to buy tons of music/apps on your dime, access your email, etc. How far do we want to take this vulnerability?

    If you put critical information on your phone. Don’t Lose Your Phone!

    • TC Infantino

      Or, considering that most use their smartphones for damn near everything anymore, just get a security app like Lookout that allows remote wipe of your phone.  Simple as that.  And if it turns out that you only misplaced the phone and then find it, you aren’t out anything more than taking the time to set up the phone again.

  • Anonymous

    I have tried using Google Wallet twice now, on different roms (with a wipe in between), and it hasn’t worked. I have only tried it at one particular place, twice, so I plan to try it elsewhere and see what happens. I am wondering if the place I tried it at is just messed up… I dunno. The phone recognizes it properly and says sending… then it kind of stops and starts the process again as if the receiver isn’t getting the data from my phone. Anyone else experience this?

    • Lakerzz

      I use it just about every day. I am currently on aokp 21. I used while stock rooted as well. There has been a couple of times where I had to “swipe” again for it to go through, but that’s it. I also noticed that sometimes the clerk/ cashier doesn’t know what the eff I am doing, and gets scared. THEY then cancel the transaction, and say that it didn’t work. I love it!! The only thing I use my REAL wallet for now is to carry a spare battery, and conde…well, you know what I mean!!

    • This happened to me when I first installed AOKP M3 (from a previous build). I tried a full wipe and reinstall, and it happened again, but when I deleted my M3 file and downloaded it again, did a full wipe, it fixed the problem, so I think it was user error on my part. Back to working fine now.

  • Your money is still more secure when contained in Google Wallet than as cash or credit card in a physical wallet. 

  • This might be scary if I’ve ever even had an opportunity to use GW. The fact is that I haven’t.

  • Anonymous

    Make a master back up of your phone in Clockwork or your recovery of choice.  Save it to your home computer. Install SeekDroid.  Loose your phone, remote wipe, get your replacement, toss on your back up… what lost phone?

  • Kris Brandt

    If you lose your phone, change your passwords.  Case solved.

  • Anonymous

    i’ve thought about this second issue before.  especially in regards to the market, and parental filters and stuff.  there’s absolutely nothing to stop a child or anyone from clearing the market data, and then going back in, clicking “yes” to login as the google account already on the phone, and buying or accessing stuff they shouldn’t.  the pin protection on something like that is a joke.

  • This really is downplayed way more than it should be. This is a major security issue for Google. And they should be treating it as such.

    • Anonymous

      Not really. In fact its more secure than an ordinary credit card. Ifyou loose your wallet then your screwed, all you can do is call the number on the back of the credit card that you lost and cancel it. On the other hand if your phone gets lost all you have to do is change your password as 
      r0lct pointed out and your fine . Or remote wipe your phone. Either way its better off than a traditional credit card.

      • Exactly its not remotely accessible by a thief, it is the same as losing your wallet. Except you can have an extra layer of protection with a pin to unlock the phone itself and add even another pin to protect with the paid version of SU as Brock stated. As the old cliche goes you have no problem handing your card to that waiter who could take 5 seconds to copy down you number

        • TC Infantino

          That is perfectly put.  I know someone who worked at a local lumber yard got nailed for that, think he stole around 50 CC numbers before he got caught.

      • Exactly. If you loose your phone, you have to factor in the chances that a bad person that is also aware the phone has Google Wallet AND has knowledge to run the hack for it. I’m putting this at a 1 in 100,000 chance.

    • Jakers

      First off, nice display pic. Second, its “downplayed” because its still not as bad as carrying around a pocket full of plastic.

  • Microsoft is working on their “Google Wallet steals your money and gives it away to criminals” ad campaign as we speak.

    • And Apple is working on the lawsuit claiming Microsoft stole their idea. LOL.

      • EC8CH

        And RIM is working on…………..

        What is RIM working on?

        • Anonymous

           that just about says it all

        • Going Bankrupt?

        • Heard they were working on an android phone

          Droid Pro 2 anyone

          • EC8CH

            gotta luv the Blurberry

        • m

          wth is RIM? lol. it’s dead.

  • Anonymous

    In other news, thieves can also steal your credit cards from the wallet in your back pocket…. move along nothing to see here.

    • ThatGuy

      But you don’t usually take your wallet out in crowded streets where it can be snatched. People are going to have to learn to guard their phones much better if (mainly when) NFC with its possible vulnerabilities takes off.

      • Actually there are some devices that can steal the information off many newer credit cards by bumping into you on the street without even having you take it out. 

  • EC8CH

    Why do I have a feeling ISIS is behind all these stories pointing our Google Wallet vulnerabilities?

    • Anonymous

       I think Sterling Archer has better things to do.

      • EC8CH

        well played

      • Double0droid


      • Anonymous

        We call him Duchess 

        • JonnyRock

          Oh hell yes, this is on tonight!

  • Anthony Armando

    And if a phone doesn’t have a lock-screen installed people can make market purchases too. They can buy music/videos/books and even apps then copy the apk.


  • Brock Overcash

    For the record, if you purchase the donate version of the Superuser app by ChainsDD, there are security settings for approving rooted apps. You can set a pin that is required every time you need to approve an app, or even go as far as to require a NFC chip to be able to authorize root permissions.

    • my ḃuddy’s sister makes $74 ĥourly on the internet. Şhe has been fired for 10 months but last month her ĩncome was $8869 just working on the internet fōr a few hours. Go to this web site and read more… LazŷCasĥ5.Çom

  • Anonymous

    If you lose your Android phone and don’t have a lock screen (or even if you do) and don’t change your Google account password immediately you are an idiot.  Therefor the amount of time for someone to exploit this should be relatively short unless you go a long time without noticing your phone us gone.
    If you’re really concerned use their two form authentication, it’s actually quite straight forward and only a pain to setup initially, not to use.

  • tjmonkey15

    Yep, Google Wallet is still frickin awesome.

  • Anonymous

    What happens if you real wallet was stolen? they also gain access to you credit cards !!!!
    Lets not get to skeptical all because of technology !!!

    • Exactly, Google Wallet is MUCH more secure than traditional forms of payment.

    •  this is more like someone stealing your wallet with your pin written on your debit card

      • Anonymous

        Well if you use the same pin to your credit card, yes you are right. Otherwise not really ! just a pin to some software.

  • Nakouro28

    It is a gazillion times more likely that someone steals your credit card and uses it. By the time the thieves realize how to use your phone to pay, they would get caught.

    • QtDL

      So true. Criminals are dumb. The criminal would have to be another Nexus nerd to be able to figure out how to do all that. 🙂

  • Anonymous

    Well, if someone took my phone and I didn’t have remote wipe or a lock on it, I’d have other problems too–they could do a password reset on any number of accounts linked to my phone, confirm the reset through my email, and then change the email associated with the account, blocking me out of the account. So yes, lock your phone and get a 99 cent remote wipe app.

    • Xfloggingkylex

      AndroidLost does it for free.  In addition to being able to send messages, activate text to speech (so you can say something like “hey buddy, call can I get my phone back?”), ping GPS for a location, remote wipe of phone and SD card.