Recent Google Wallet vulnerability could expose credit card information

What you need to know

• Recent findings have unveiled a loophole in Android, particularly with Google Wallet.
• Cards linked to the wallet risk exposing themselves if NFC and App pinning features are enabled.
• Google is said to be aware of the issue, and the recent September 2023 security patch for Android devices might have fixed it.
• The Pixel phones, however, are yet to receive the security patch.

Android screen pinning, aka app pinning functionality, is a nifty feature that lets users pin specific apps (via apps overview) on their screens. However, a recent security vulnerability has revealed that this feature can put your credit/debit cards at risk if linked to your Google Wallet.

A recent Github finding (via 9to5Google) has revealed a possible way to get your card details linked to Google Wallet through a general-purpose NFC reader (Flipper Zero, in this case). The finding suggests this is due to a logic error in the code when the device resides in lock screen mode — with app pinning enabled — and the NFC turned on. The risk is significant as user interaction isn't necessary for this exploitation.

The Github member used a Google Pixel 7 Pro with App Pinning enabled and "Ask for Pin before unpinning" turned on. At least one card has to be linked to Google Wallet. Additionally, NFC has to be enabled with the "Required device unlock for NFC" option allowed.

In this state, the phone is vulnerable as pointing a POS (Flipper Zero in this case) at the back of the Pixel 7 Pro could read the card's data (including card number expiry date) that was registered in Google Wallet.

Image 1 of 2

This makes it possible for anyone with an NFC reader, like the one used in the video, to obtain someone's card information. The GitHub user notes that if a real POS machine is used, there would be a higher risk of your card undergoing an unauthorized transaction without user interaction with the phone.

While an end user going through the aforementioned steps in regular day-to-day use is fairly unlikely, it's still a pretty notable vulnerability. That said, it's one that Google is already aware of, and Android devices running the September 2023 security patch should be safe from the exploitation.

Many phones, such as the Galaxy S23 series, are already receiving the September 2023 patch, although Google is yet to roll out the patch (or the Android 14 update) to its Pixel phones, including the recent Pixel 7 series.