Android wallet apps vulnerability could allow currency theft

Pierluigi Paganini August 13, 2013 has released a security advisory related to a serious security flaw related to Android wallet apps that could allow money theft.

Yesterday I’ve written on RAT for Android today we will speak of a weakness in some Android wallet apps for the popular mobile operating system that exposes Bitcoin users to risk of theft. The news has been issued by the Bitcoin Foundation that Android “wallet” apps including Bitcoin Wallet and BitcoinSpinner are affected by a serious flaw that could be exploited by cybercriminals.

The portal published security advisory and suggested to protect the Android wallet apps updating them once a new version was available.

“We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. An incomplete list would be Bitcoin Wallet, wallet, BitcoinSpinner and Mycelium Wallet. Apps where you don’t control the private keys at all are not affected. For example, exchange frontends like the Coinbase or Mt Gox apps are not impacted by this issue because the private keys are not generated on your Android phone.”

The Android “wallet” apps vulnerability is related to OS’s ability to generate sequences of secure random numbers to secure the wallet, practically Android’s SecureRandom Java program sometimes repeats the number sequences instead to make unique.

The security issues is specific for Android OS and affect all Android wallet apps that devolve the generation of private keys to the user’s mobile device, Coinbase or Mt Gox apps are not impacted because the keys are not generated on Android phone

Android wallet apps2

All Android wallet apps vulnerable need to change keys, it is possible “generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself”.

Principal Android wallet apps are in the process of updating to fix the bug:

  • Bitcoin Wallet: Update has been prepared and is in beta testing now. Learn more.
  • BitcoinSpinner: Update is being prepared.
  • Mycelium Wallet: Update v0.6.5 can be installed from Google Play or
  • Update is being prepared.

Security experts seem to be not surprised by the discovery, it is expected that similar flaws will be found in the next months in principal virtual currency scheme.

Similar flaws are intrinsic on the ability of computers to generate a real sequence of random numbers to protect data, if the mechanism fail someone could be able to predict them by dropping the entire security infrastructure based on the randomness of the keys.

But problem for virtual currency schema are not only of a technical nature, The New York Department of Financial Services has requested to about two dozen firms operating with Bitcoin to provide all necessary information on transactions to prevent money laundering  activities.

Despite Bitcoin is the most popular virtual currencies the cybercrime underground has definitely nominated Perfect Money as its currency after the law enforcement shut down Liberty Reserve during the investigation on 6 billion digital money laundering operations.  Perfect Money is considered by cybercriminals a privileged payment methods thanks anonymity of transactions and exchanging the virtual money for Euro, Dollars and gold.

Pierluigi Paganini

(Security Affairs  Android, Cybercrime, Android wallet apps)

you might also like

leave a comment