Google confirms Bitcoin-theft vulnerability in Android

Summary:An initialisation flaw within the Java Cryptography Architecture has been patched, but not before leaving Android vulnerable to attacks resulting in Bitcoin theft.

Google has verified that a vulnerability that existed within Android allowed for the reported theft of up to 55 bitcoins over the weekend.

"We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialisation of the underlying PRNG (Pseudorandom number generator)," said Alex Klyubin, Android security engineer, in a blog post.

Klyubin said Android applications that used the "system-provided OpenSSL PRNG without explicit initialisation" were also affected by the issue.

The solution to the issue is to properly seed any PRNG with values from /dev/urandom, and Google suggests that developers look to regenerate any keys or random values previously generated by JCA APIs.

The Android security team has patched the issue to Android's OpenSSL PRNG, and those patches have been provided to Open Handset Alliance members.

The issue with Android's cryptography came to light over the weekend, when reports that Bitcoin wallets generated on Android were being drained surfaced. A number of Bitcoin applications moved quickly to resolve the issue.

However, the solution involved creating a new wallet, and transferring all Bitcoins from the old wallet to the new one.

Topics: Mobility, Google, Security


Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.