Google Offers Fixes For Android Flaws Used To Steal Bitcoins

Google has come clean about flaws in Android’s pseudo-random number generator that led to the theft of funds from Bitcoin wallets, and offered a number of fixes and patches.

It emerged earlier this week that Bitcoin wallets using Android’s SecureRandom service were vulnerable, with  several reports of stolen BTC balances.

It is believed Bitcoin apps had signed numerous transactions with the same supposedly random number created by Google’s SecureRandom. Every transaction requires a signature of the private key and a freshly generated random number.

If there is more than one occurrence of the same private key and the same “random” number in this process, this can be exploited to acquire the private key of a user and pretend to be them.

Attackers looked at the blockchain, which records all Bitcoin-based transactions, for such repetitions,  according to security experts. They could then glean private keys of Bitcoin applications.

Where the Android weakness lies…

The weakness lies in the pseudorandom number generator (PRNG) in Android’s Java Cryptography Architecture (JCA), Google has admitted.

Android security engineer Alex Klyubin said apps using this “may not receive cryptographically strong values on Android devices due to improper initialisation of the underlying PRNG”. “Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialisation on Android are also affected,” he added.

According to Symantec, over 320,000 Android apps use SecureRandom in the same way Bitcoin wallets do, meaning that many could be vulnerable.

Google has sent patch information to device manufacturers, meaning if its hardware partners push out updates, users should be protected. There is no information on when they might do that, however.

It has also given developers advice. “Developers who use JCA for key generation, signing or random number generation should update their applications to explicitly initialize the PRNG with entropy from /dev/urandom or /dev/random,” Klyubin added.

“Developers should evaluate whether to regenerate cryptographic keys or other random values previously generated using JCA APIs such as SecureRandom, KeyGenerator, KeyPairGenerator, KeyAgreement, and Signature.”

A host of Bitcoin wallets have now been updated, including Bitcoin Wallet, Bitcoin Spinner, Mycelium Bitcoin Wallet and blockchain.info.

Are you a security expert? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago