A strange Google Wallet bug, which affects smartphones running Android 5.0 and up, may expose your credit card details under a very specific set of circumstances. Google is aware of this vulnerability (CVE-2023-35671), and a fix is included in the September 2023 security update for devices running Android 11 and later. At the time of writing, the September 2023 security update is only available on select smartphones (excluding Pixel phones, oddly enough), though you can avoid the Google Wallet exploit by disabling or avoiding a certain Android feature: Screen Pinning.
As demonstrated by MrTiz on GitHub and YouTube, the CVE-2023-35671 vulnerability is due to a loophole in Android’s Screen Pinning tool. This often-overlooked feature allows you to pin an app to your lock screen, providing easy access to the app without leaving your phone completely unlocked. But if you pin an app while the “ask for PIN before unpinning” and “require device unlock for NFC” options are enabled, NFC devices like the Flipper Zero can skim the details for whatever credit card you’ve set up for contactless payments in Google Wallet.
Again, this is a very specific set of circumstances. Very few people use Screen Pinning, as the feature is disabled by default. There are no documented examples of this exploit in the wild, and even if you fall in the small group of people who could be affected, you would need to wave your phone around an NFC device while an app is pinned to your lock screen. The steps to avoid this exploit are very straightforward—disable Screen Pinning, or unpin whatever app’s on your lock screen before attempting to make a contactless payment. If you have the “require device unlock for NFC” option enabled, you may already be in the habit of doing this.
Options like Google Pay are still more secure than using a physical credit card, which can be scanned or skimmed in dozens of different ways. Google Pay doesn’t expose any of your credit card details when making payments, as it relies on temporary “virtual tokens” that can only be charged a single time. The CVE-2023-35671 exploit, which can reveal credit card information, is an unexpected exception caused by a very particular bug.
To reiterate, Google is aware of this exploit and includes a patch in the September 2023 security update. The update is available to all Android brands, though manufacturers are responsible for its rollout. Our friends at 9to5Google note that the September 2023 update is already on several Samsung phones, though for some odd reason, it isn’t on Google’s Pixel lineup just yet.