Google confirms Bitcoin-theft vulnerability in Android

Google confirms Bitcoin-theft vulnerability in Android

Summary: An initialisation flaw within the Java Cryptography Architecture has been patched, but not before leaving Android vulnerable to attacks resulting in Bitcoin theft.

SHARE:
TOPICS: Android, Google, Security
13

Google has verified that a vulnerability that existed within Android allowed for the reported theft of up to 55 bitcoins over the weekend.

"We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialisation of the underlying PRNG (Pseudorandom number generator)," said Alex Klyubin, Android security engineer, in a blog post.

Klyubin said Android applications that used the "system-provided OpenSSL PRNG without explicit initialisation" were also affected by the issue.

The solution to the issue is to properly seed any PRNG with values from /dev/urandom, and Google suggests that developers look to regenerate any keys or random values previously generated by JCA APIs.

The Android security team has patched the issue to Android's OpenSSL PRNG, and those patches have been provided to Open Handset Alliance members.

The issue with Android's cryptography came to light over the weekend, when reports that Bitcoin wallets generated on Android were being drained surfaced. A number of Bitcoin applications moved quickly to resolve the issue.

However, the solution involved creating a new wallet, and transferring all Bitcoins from the old wallet to the new one.

Topics: Android, Google, Security

About

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • Ha ha...Android can't catch a break

    The platform is poorly designed and seems to have to many security holes. Time to switch to Windows phone...
    OwlllllllNet
    • Quickly then

      Before MS Zunes them out of existence.
      Englishmole
      • Zune iHD s still the best music player

        Soon WP will nuke crappy androids
        OwlllllllNet
        • Around the same time

          We're all driving flying cars.

          Yep, gotcha, no time soon.
          Little Old Man
    • Bitcoin...

      Something else no one gives a shit about and is borderline illegal in most countries it is used in.
      I cant wait for the uproar when people bitch about how they spent hundreds of thousands of bitcoin 'mining' setups only to find that bitcoins are outlawed.
      Funkmonkey
  • The question now becomes who gets the patch?

    While I'm sure Android BitCoin users aren't using handsets with OSes dependent on their carriers. The point is that at some point Android is going to have a truly dangerous bug and then we'll watch while millions of Android users remain vulnerable because the OEMs don't want to put the effort into patching their firmware and/or the carriers don't want to bother testing all 07 versions of if for all the handsets they've sold. But hey, Open wins!
    matthew_maurice
    • Reason to only use Nexus devices.

      Especially given the fact that Samsung rarely update their devices.

      The Android device manufacturer that recognizes that a base Android OS is the best solution, and their update are only apps to the system will eventually dominate the Android landscape. This is Samsung's Achilles heel.
      Uralbas
      • Samsung?

        No, actually Samsung is working on their own platform while Google plays with legos. If Google doesn't wake up and get their act together, Apple and Nokia will eat their lunch.
        Dreyer Smit
    • Wrong choice of manufacturer

      Out of all of them, in my experience samsung have the best track record of updates. Well, for their top-end phones as least.

      I do agree though that the best model would be for all of them to use vanilla android so updates could be rolled out universally and much faster. Then again, that would mean losing some of the really useful features that people like samsung add through their own interface. Tough choice. No threat, so far, has ever seemed to represent enough of a problem for me to go vanilla, to get the speedier google updates, of course that may change depending on the landscape.
      Little Old Man
  • Android.

    Android seems to be the Windows XP (or Windows 98) of the mobile world. How long before Eric issues a memo like the famous one Bill Gates did like a billion years ago.

    Google doesn't care. Carriers don't care. Manufacturers don't care. End result, consumers lap it up like idiots.

    Guess they deserve what they get.
    Dreyer Smit
    • Get what?

      Your talking like android users have all been hacked and have useless phones? At the moment it's the best option out there and although people with stunted mental capacity get in a twist about malware, no serious threat has made it into the real world. Those are the same people suggesting that they are wiser than millions of people around the world. Ironically it's not them getting the most right now but I'm sure you're happy in your deluded world.
      Little Old Man
  • Lets steal imaginary coins

    for real money
    Timothy Cook
  • Stupid idea anyway

    Bitcoins are the stupidest idea since the Chinese invented paper currency. May the idea die before it ever gets widespread.
    Tony R.