can now be compromised on any device - rooted or not. Wallet Cracker, an application developed by Zvelo, can easily unveil your four digit PIN protecting your entire digital wallet. It's a good thing this security firm found the vulnerabilities before a malicious hacker took advantage of them.
Smartphone Champ, has discovered another way to get into a private Google Wallet account, no root required. Technically this is more of a lopphole than a crack, if only because it uses Android's default setting to achieve access. The gist is that all you need to do to wipe the security PIN is to delete the app's stored data via the Settings menu, essentially resetting it to the state it was in when you downloaded it from the Android Market. This is a common Android function and is even recommended sometimes when an app is misbehaving. Wipe the data, re-launch the app, and you (or anyone who has your phone) can access Wallet, associate it with your Google account (without entering a password) and set up a new PIN. Then they can spend the money at any online or retail store that accepts Google Wallet - all without root. Watch as Hashim demonstrates: [youtube Rh1ytHrhj2E] This is a much bigger problem than the previous leak, because anyone with physical access to your phone has the ability to do this quickly and easily. The problem lies with Google Wallet's authentication system: though funds are added into your account and virtually "kept" by Google, the authentication is linked to a single device, not your account. Compare this with any banking app, which keeps your account password connected to your username. Odds are overwhelming that Google will address this loophole very soon. In the meantime, the best way to stay protected while using Google Wallet is to set up a PIN or lock pattern on your device itself - without the PIN or pattern, a thief would have to completely wipe your phone to access any apps or data. [timeline] [via 9to5Google, via AndroidandMe]
recently exposed vulnerability in the Google Wallet app which potential thieves to steal your PIN code if you're running a rooted version of Android. The crack can be applied even after a PIN or password is changed, but again, only on rooted devices. After The Next Web posted the story from the original source, Google itself responded - though there isn't much information on an actual resolution. Essentially, Google reminds users that a stock phone cannot be affected in this manner, and recommends that root users refrain from downloading Google Wallet at all. Here's the full text of their reply:
The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.That's a disappointing answer, but not an unexpected one. When you unlock or root a device, you're always running at least some kind of risk, to your hardware, your software, and even your personal data. The possibility that 1) your rooted phone would get stolen by 2) someone with the technical knowledge to pull a similar hack off and 3) the knowledge that both your banking information is on the phone and that it's possible to retrieve it is remote to say the least. Considering the low saturation of NFC payment systems, especially in the US, it would seem that root users just need to do without for now. This isn't the first time that Google has essentially ignored the considerable percentage of Android users who root: there's still no way to legally watch movies or TV shows downloaded from the Android Market on a rooted device. While this is thought to be a measure insisted upon by the various entertainment studios, that doesn't make the refusal of service any less annoying. Even so, it's not Google's responsibility to cover every contingency of every Android modification: If you modify the software on your phone or tablet, you're responsible for any change in functionality or security. That seems like a reasonable position, if at times frustrating one.
Google has announced their plans and system to curb all of that. They are calling it the Android Market Bouncer -- like that guy in a suit standing by the door.
view the passwords of saved WiFi SSDs. The flaw was discovered by the United States Computer Emergency Readiness Team and reported on the Homeland Security website. HTC has responded to the issue on their support website, stating that some of the phones are already fixed through regular security updates. However, some of the phones will need a additional update to be made secure. The manufacturer did not elaborate on which phones are currently safe and which are not.
a bug in HTC's Sense skin that allowed for remote file access on a handful of smartphones, then the whole Carrier IQ debacle, which was demonstrated mostly on HTC's hardware. The latest snafu was uncovered by the United States Computer Emergency Readiness Team, which states that a considerable amount of HTC phones are running flawed software that allows third-party applications access to encrypted WiFi passwords. The US-CERT team published their findings on the Homeland Security website yesterday.
a blog post, noting that while the advertising in question is aggressive, it doesn't meet the definition of "malicious".
between 1 million and 5 million Android users had been infected with a particular kind of malware identified as Android.Counterclank. In an alarming blog post, the security software retailer notes Android.Counterclank's overly broad permissions and ability to send personal data through a network connection. Now rival security software vendor Lookout Mobile Security claims that Symantec's post was overblown, and that the code executing in the 13 apps identified is overly aggressive adware, not malware.
published a report claiming that anywhere from one to five million Android phones and tablets may be infected with the Android.Counterclank spyware. The infections spread from thirteen identified apps across three developers, some of which have already been removed from the Android Market, presumably by Google. Most were blatant copies of popular games or vaguely naughty apps.