Researchers at security firm zvelo have discovered that they can crack a Google Wallet PIN using a brute force attack on a device that is "rooted"--i.e., freed of security restrictions imposed by wireless carriers.
But don't panic. Chances are your Android device isn't rooted; typically only developers and true geeks are willing to root the device, which gives the user full control of the device with "root" privileges, but also removes certain protections.
And someone would have to get physical access to the device and install password cracking software on it to get to the PIN. If someone tries to root a device without the owner's permission, the phone wipes itself of all data, including the PIN, according to Google.
As Google says in this statement:
The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.
Google is working on a fix and in the meantime advises Google Wallet users to not root their phones and to set up a screen lock on the device. Zvelo also recommends disabling USB Debugging and enabling full disk encryption, for the truly paranoid.