A security flaw has left all Bitcoin wallets on Android vulnerable to theft, Bitcoin.org has warned.
The vulnerability affects all Bitcoin wallets on the Android plaform, and Bitcoin.org reccomends that all users visit Google’s Play store to install an update as soon as one becomes available. Some apps have already been updated, but some have not. Bitcoin.org has not made any statement on whether any users have lost funds due to the vulnerability.
“We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft,” Bitcoin.org said in a statement.
“Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. Apps where you don’t control the private keys at all are not affected. For example, exchange frontends like the Coinbase or Mt Gox apps are not impacted by this issue because the private keys are not generated on your Android phone.”
A security engineer at Google, Mike Hearn, explained the vulnerability in an email to Bitcoin developers, according to ITProPortal: “A few days ago we learned that the Android implementation of the Java SecureRandom class contains multiple severe vulnerabilities.As a result all private keys generated on Android phones/tablets are weak and some signatures have been observed to have colliding R values, allowing the private key to be solved and money to be stolen.”
“There are numerous malware families today that either perform Bitcoin mining or directly steal the contents of victims’ Bitcoin wallets, or both,” Lipovsky writes.
Bitcoin advised users, “In order to re-secure existing wallets, key rotation is necessary. This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself. If you use an Android wallet then we strongly recommend you to upgrade to the latest version available in the Play Store as soon as one becomes available. Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one.”
Author Rob Waugh, We Live Security