Android flaw used in Bitcoin heist

Posted on Thursday, Aug 15 2013 @ 11:42 CEST by Thomas De Maesschalck
Android logo
ARS Technica writes Google developers have confirmed that a cryptographic vulnerability in Android has been abused to steal $5,720 worth of Bitcoins out of a digital wallet last week. The flaw originates from a weakness in Android's Java Cryptography Architecture and it's estimated that as many as 360,000 programs rely on this class. All versions of Android are affected by this.
This weakness in Android's Java Cryptography Architecture is the root cause of a Bitcoin transaction that reportedly was exploited to pilfer about $5,720 worth of bitcoins out of a digital wallet last week. The disclosure, included in a blog post published Wednesday by Google security engineer Alex Klyubin, was the first official confirmation of the Android vulnerability since Ars and others reported the incident last weekend. Klyubin warned that other apps might also be compromised unless developers change the way they access so-called PRNGs, short for pseudo random number generators.

"We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG," he wrote. "Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected." Apps that establish encrypted connections using the HttpClient and classes aren't vulnerable.

About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.

Loading Comments