There's a Fake Google Wallet App, and It Is Used to Hijack Google Accounts
You could argue that Google is the classic Silicon Valley success story. What started off as a useful search engine is now a commanding part of almost everything we do online. Over the years, Google released apps and services for creating content, collaborating on projects, sharing information, communicating with other people, etc.
In 2011, the Mountain View-based colossus announced its entrance into the financial sector with the launch of Google Wallet – a payment service that allowed, among other things, the processing of in-store and online transactions. It probably doesn't come as too much of a surprise to you that cybercriminals are now using the Google Wallet name to cause harm to innocent computer users.
A rogue Google Wallet app gains access to users' Google Accounts
Last week, quite a few users received emails saying that Google Wallet had been given access to their accounts. The notifications were sent by Google's automated systems, and many people immediately got suspicious because they knew that they hadn't used an application by that name in a long time. They took to social media to share their concerns and were advised to review the list of apps that have access to their data, remove the ones they don't recognize, and change their passwords. Some complained that the app popped up again after the password change.
You may be thinking that Google is trying to get more people to use the Wallet app. Sadly, this is not the case.
A rather bizarre campaign
Overall, the details are few and far between, and the only source of information is the message boards and social media. Although there is quite a lot of speculation, it has yet to be confirmed what the fake Google Wallet app can do exactly. We can be pretty certain, however, that the application is indeed fake.
First of all, the screenshots shared with Android Police show that the rogue app was published by an unverified developer. For many, this could be a dead giveaway, but others will have figured out that something's not quite right long before they look at who's listed as the developer of the application.
In 2015, Google spun off some of Google Wallet's functionality into a new application called Android Pay. It was a somewhat strange move, and plenty of people expected to see it being reversed sooner or later. Sure enough, in January 2018, Google announced that Android Pay and Google Wallet are being consolidated under one common brand – Google Pay. The Google Wallet name was dropped, and there's no indication that it will ever be resurrected.
The criminals have banked on users not knowing this, and although there is no official information on how big or successful the attack is, we're pretty sure that some people have fallen for it. In a support thread, a Google employee said that the company is investigating the issue, and hopefully, we will soon have more information. Whatever Google's people find, however, this whole story should go to show that, when it comes to services and apps that have access to your data, even the most legitimate-looking ones should be treated with a healthy dose of suspicion.