Bitcoin wallets created on Android devices at risk of theft

Graham Cluley
@gcluley

A critical security vulnerability has been discovered in Android Bitcoin wallet apps that could leave users “vulnerable to theft”.

According to an official blog post at bitcoin.org, popular affected apps include – but are not limited to – Bitcoin Wallet, blockchain.info, Bitcoin Spinner, and Mycelium Wallet.

Bitcoin, for those who aren’t familiar with it, is a virtual digital currency (meaning it doesn’t exist physically in the real world, but can be used to purchase items online) that relies upon cryptography.

The problem appears to lie in a weakness in the way that Android phones and tablets generate the random numbers required for private keys, meaning that the key could be recoverable by someone else.

Sign up to our newsletter
Security news, advice, and tips.

And if someone else can work out the private key to your Bitcoin wallet, that’s rather like knowing the PIN code for your bank account.

Affected users are being advised to keep a keen eye open for updates to their Android Bitcoin apps:

“If you use an Android wallet then we strongly recommend you to upgrade to the latest version available in the Play Store as soon as one becomes available. Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one.”

There are already reports that Bitcoins may have been stolen from compromised addresses.

Imagine if a weakness like this were found impacting those of us who use traditional real-life banks…

For further information, read the official blog post at bitcoin.org and follow the discussions online.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.