Google has issued a fix for an Android bug that left virtual Bitcoin wallets vulnerable to theft. The flaw has so far allowed thieves to steal nearly 56 Bitcoins - currently worth nearly $7,000 - by targeting certain Android wallet apps.
According to Google, the bug is due to an underlying weakness in the Java Cryptography Architecture (JCA) on Android, used for key generation, signing, or random number generation.
The firm's security researchers said it had now fixed a weakness in the framework's pseudorandom number generator (PRNG) that made it easier for hackers to compromise the private keys to Bitcoin wallets stored on Android phones or tablets. Several Android users reported that they'd had Bitcoins fraudulently sent from their accounts to the same mysterious recipient.
Security engineer Alex Klyubin said the problem affected apps that use JCA without the proper initialisation of the underlying PRNG. "Applications that establish TLS/SSL connections using the HttpClient and java.net classes are not affected, as those classes do seed the OpenSSL PRNG with values from /dev/urandom," he added.
Klyubin advised developers using JCA to generate keys should update their apps with explicit initialisation for PRNG, and provided a suggestion for implementation.
He added that Google had now provided patches to its global carrier partners, including T-Mobile, Telefonica and Vodafone. It'll be up to those carriers to roll out the patches to affected consumers.
The Bitcoin Foundation meanwhile has advised Bitcoin owners using Android apps to store their virtual stash on their PCs.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
