Intrepidus Group
Insight

Google Wallet – Last Four Digits Revealed to Malware Vulnerability

Posted: April 20, 2012 – 10:22 am | Author: | Filed under: android, bugs, Mobile Security

If you’re using Google Wallet, please check your version number and ensure you’re up-to-date (1.1-R57v5 as of this post). This post describes an issue we discovered and reported to Google a few weeks ago. It has now been patched in the latest version of Google Wallet. We think it’s an interesting concern for both end users of Google Wallet and other application developers. While not the most earth shattering vulnerability, it’s probably not something you would want malware collecting about you or your credit cards.

To start, there has been a lot of great research into Google Wallet recently, including the ability to brute force the account PIN and viaForensics dive into application data storage. Both of those attacks required root level access to the device. However, in this attack, the heart of the issue involves the ability to send a specially formatted intent message to Google Wallet. This is something any Android application can do, once installed, without any additional permissions. The specially formatted intent message essentially tells Google Wallet to turn on verbose logging. Data which gets logged includes the last four digits of any credit cards that have been associated with your Google Checkout account (since Google Checkout is now rebranded/merged with Google Wallet). While the full card number is not shown, this data (along with other information that might get collected as well), could be used to target you for a fairly believable social engineering attack. Additionally, the inclusion of Google Checkout information means card numbers which I never thought of as part of my mobile phone’s digital wallet, were included as well (you’ll see these as “UNPROVISIONED” listings in the logs).

Google Wallet Last 4 Card Numbers in the Logs

Last 4 digits of credit card numbers from Google Wallet/Checkout in the Android Logs

We’ve put together a short video which shows our “malware” application sending this intent message and collecting data on a non-rooted Galaxy Nexus (running version 1.1-R52v7 of Google Wallet) . You’ll notice the application does require the one permission, the ability to read the device logs. For the technical details, please see the our security advisory.

http://intrepidusgroup.com/advisories/intrepidus-advisory-20120418.txt

As for the fix, Google has stated they’ve reviewed all of Wallet’s logging features and have added the android:exported=”false” attribute to the LoggingPriorityChangeReceiver to prevent third party applications from enabling this feature.

Video: Google Wallet – Verbose Log Capture Malware Example

 

Both comments and trackbacks are currently closed.

image

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 24731 items have been purified.