14 DAY TRIAL // A vulnerability in the Android component responsible for generating secure random numbers exposes Android Bitcoin wallets to theft. The security hole can be exploited by hackers to recover private keys, which basically give them access to the targeted individual’s Bitcoin wallet.
According to an advisory on Bitcoin.org, all apps in which the wallet is generated on the Android device are impacted by the flaw. The list includes Bitcoin Wallet, Mycelium Wallet, BitcoinSpinner and the blockchain.info wallet.
The developers of these apps are said to be preparing updates to address the issue. The Mycelium Wallet update is already available on Google Play and the company’s website.
Apps that don’t allow the user to control private keys, such as the Coinbase and Mt. Gox applications, are not impacted because the private keys are not generated on the Android smartphone.
Users of impacted wallet apps are advised to perform “key rotation” in order to re-secure their wallets.
“This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself. If you use an Android wallet then we strongly recommend you to upgrade to the latest version available in the Play store as soon as one becomes available,” reads the advisory on Bitcoin.org.
“Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one,” it continues.
“If you use Bitcoin Wallet by Andreas Schildbach, key rotation will occur automatically soon after you upgrade. The old addresses will be marked as insecure in your address book. You will need to make a fresh backup.”