Security flaw leaves Android Bitcoin wallets vulnerable to theft

Security flaw leaves Android Bitcoin wallets vulnerable to theft

Summary: Bitcoin wallets generated on Android are thought to be suffering from a random number generation weakness.

TOPICS: Security, Android

Bitcoin wallets generated by Android devices are vulnerable to theft caused by a problem in the way Android generates random numbers.

Developers at issued an alert on Sunday strongly recommending Bitcoin owners using Android wallets update to new versions of their preferred wallet once they became available.

A number of Android Bitcoin wallets — such as Bitcoin Wallet, BitcoinSpinner, Mycelium Wallet and — were preparing updates that address the flaw, according to the notice.

According to a description of the flaw by Bitcoin Wallet, which has released a beta fix, "Android SecureRandom class has multiple severe bugs that render it useless for cryptographic purposes".

Bitcoin apps by exchanges such as Mt Gox and Coinbase are not affected since the private keys for those apps are not generated on the Android device.  

Technical details of the Android flaw have not been released. However, Bitcoin Magazine suggests the affected random number generator produces numbers that are not so random and points to a number of thefts that have occurred as a result of the flaw.

The fix involves generating a new address with a repaired random number generator. Users would then send the money in their existing wallet to the new one.

"Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one," developers noted. 

A member on the forum also noted that keys generated by wallets on desktops or iPhone can also be vulnerable if payments were also made from an Android device. 

Topics: Security, Android

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Of course there's issue

    With "bit" unwilling to join the unholy alliance of Pay Pal and Visa /MC against Wiki Leaks and it's desire to open the internet to everyone, is it really a stretch to realize that they would mount an attack against "bit"? I think not...
  • Another reason

    Why i'm not gonna use any form of online/cloud "wallet".