Google has pushed out patches to partners to address a cryptographic vulnerability tied to the theft of bitcoins from Android users.
According Android security engineer Alex Klyubin, applications that use the Java Cryptography Architecture (JCA) for key generation, signing or random number generation may not receive cryptographically strong values on Android devices because of improper initialization of the underlying PRNG.
“Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected,” wrote Klyubin. “Applications that establish TLS/SSL connections using the HttpClient and java.net classes are not affected as those classes do seed the OpenSSL PRNG with values from /dev/urandom.”
In addition, Google has developed patches to ensure Android’s OpenSSL PRNG is initialized correctly and provided them to Open Handset Alliance (OHA) partners.
The issue came to light after users of a Bitcoin forum reported Saturday their bitcoins had been stolen. According to Bitcoin.org, the problem can affect anyone with a bitcoin wallet generated by any Android app, including Bitcoin Wallet, BitcoinSpinner and Mycelium Wallet. Apps where users don’t control the private keys are not affected, such as exchange frontends like the Coinbase or Mt. Gox apps.
“If you can’t update your Android app, alternatively, you can send your bitcoins to a Bitcoin wallet on your computer until your Android app can be updated,” according to Bitcoin.org. “You should make sure not to send back your bitcoins to your old insecure addresses.”
Related Podcast:

Marketing professional with a background in journalism and a focus on IT security.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
