New Android Vulnerability Allows Hackers to Steal Your Banking Data
A newly discovered vulnerability in the Android operating system allows hackers to access full bank card details using multifunctional NFC-enabled devices like the Flipper Zero. The issue, identified as CVE-2023-35671, affects all devices running Android 5.0 and above.
How the Vulnerability Works
The vulnerability is linked to the “Screen Pinning” feature. When this feature is enabled for any app, along with the options “Ask for PIN before unpinning” and “Require device unlock for NFC,” a hacker can potentially steal a victim’s bank card data.
Screen Pinning is designed to lock your phone to a single app, preventing others from switching apps if you hand them your device. This is useful if you want to let someone use your phone without risking your privacy.
However, with Screen Pinning active, someone with a suitable NFC reader can obtain the full details of a credit or debit card linked to the victim’s Google Wallet and set up for contactless payments. The hacker only needs to bring their device close to the vulnerable phone—no password entry is required, even though a password is usually needed in such cases.
What Data Is at Risk?
While this vulnerability does not allow unauthorized payments, it does give access to the linked card’s details, including the card number and expiration date. This information could be valuable to potential attackers.
Who Is Affected and What Is Being Done?
Despite the specific conditions required for exploitation and the relatively low risk of real-world attacks, Google has classified the vulnerability as “serious” and has started working on a fix.
The patch is included in the September 2023 security update, but only relatively recent Android versions starting from Android 11 will receive it. The patch is already available to all Android device manufacturers, who are rolling it out at their own pace to supported devices.
Unfortunately, devices running older versions of Android or those no longer officially supported by manufacturers will not receive the security patch. For these users, the only solution is to completely stop using the Screen Pinning feature.