According to malware analytics group zVelo, Google Wallet PINs may be vulnerable if your phone is rooted. From their research and the video demo below, you will see that a simple .apk can be installed onto a rooted phone that can access PIN information, opening up your Wallet app to intruders should your phone fall into the wrong hands. The chances of that happening are obviously incredibly low, but we thought that you should all be aware of the situation.
zVelo was kind enough to contact Google ahead of this report and confirmed that this vulnerability does indeed exist. They worked to figure out a fix which turned out to be moving PIN verification into the SE (secure element) of the NFC chip in your phone. While this is apparently not that big of a deal on the fixing front, it could move the responsibility of PIN protection onto banks rather than Google, something that zVelo is not a fan of.
That was obviously the briefest of summaries. If you would like to read the long version with technical secure details, hit up the source link below.
In the mean time, we’ll toss out some ways that you can protect yourself. First, don’t root your phone (like that’s going to happen). Second, don’t lose your phone. Third, if you do plan on losing your phone, use something other than slide-to-unlock to protect your phone. Fourth (and for the 100th time), don’t download shady apps from shady 3rd party markets who ask for random internet permissions.