Attackers exploit Android bugs to steal Bitcoins from "wallet" apps

Share this article:
The bugs lie in the way Android generates private keys used to authenticate the Bitcoin owners.
The bugs lie in the way Android generates private keys used to authenticate the Bitcoin owners.

Criminals have found a way to steal Bitcoins from users' "wallet" apps by exploiting major vulnerabilities in the Android mobile operating system.

According to an online community of Bitcoin users, who spoke out on a Bitcointalk.org forum over the weekend, cyber thieves have made off with at least 55 Bitcoins, which amounts to about $5,800, given Bitcoin's current exchange value.

Mike Hearn, a Bitcoin developer who reported the bugs to Google, blogged about the security issue on Sunday and explained that the flaws lie in how Android generates secure random numbers used to make private keys. Because of the vulnerabilities, all private keys generated on Android devices are susceptible to be cracked, giving attackers the ability to steal Bitcoins from “wallet” apps made for Android users.

In a Monday email to SCMagazine.com, Hearn explained how private keys are essential to authenticating the owners of Bitcoin currency.

“A Bitcoin address is a bit like an email address, except that it's linked to a ‘private key' which is a bit like the password for the money sent to the address," he said. "Except you don't get to pick the password, the phone/tablet/computer does, on the assumption that it's better at picking unpredictable codes than you are..."

According to a Sunday blog post at Bitcoin.org, a website managed by Bitcoin's core developers and supporters of the currency, a number of wallet apps in Google Play are impacted by the vulnerabilities.

The wallets hold Bitcoins, which currently are valued at a volatile $104 each and are a form of virtual currency created in 2009 that can be transferred anonymously from person to person online, without going through a bank. They are accepted today by some online merchants and can be traded for actual dollars at online currency exchanges, such as MtGox.com.

To fill one's Bitcoin wallet, a user's machine must solve mathematical problems that become increasingly harder and result in smaller payments as one progresses, or “mines,” the currency.

Bitcoin Wallet, BitcoinSpinner, Mycelium Bitcoin Wallet and Blockchain were named as some of the popular wallet apps vulnerable to the threat, though any Android app that generates private keys on the device could be exploited, the blog post explained.

For Bitcoin Wallet app users, update 3.15 to the program fixes the problem so the vulnerability doesn't affect users. Subscribers to the other apps will have to wait for similar patches.

To fix the bugs, apps will generate a new Bitcoin address and send all the money in users' wallets back to them at a new address, Hearn explained.

When asked about the exact number of Android vulnerabilities involved, Hearn directed SCMagazine.com to Google, which did not immediately respond.

In a Monday blog post, security researcher Graham Cluley explained at his website how serious the flaws are to Bitcoin users.

“If someone else can work out the private key to your Bitcoin wallet, that's rather like knowing the PIN code for your bank account,” Cluley wrote.

Update: Subscribers to BitcoinSpinner and Mycelium can upgrade to version 0.7.0 of Mycelium, as the apps have the same developers. BlockChain users can download version 3.54 of the app for a fix.
Share this article:

Sign up to our newsletters

More in News

Superman soars above fellow superheroes as most toxic search term

A McAfee study found that searches pertaining to Superman exposed users to the most infected websites.

Black Hat talk on Tor weaknesses canceled

Black Hat organizers say legal counsel for the Software Engineering Institute and Carnegie Mellon University nixed the session.

$4 billion breach suit against Sutter Health dismissed

The ruling comes nearly three years after a computer theft occurred at the organization.