Skip to main content
  1. Home
  2. Mobile
  3. Guides

Google acknowledges critical Bitcoin flaw in Android (and bug fixes are released)

By
PayPal won't let you buy Bitcoins
Image used with permission by copyright holder

Do any of you own any bitcoins? Fractions of a bitcoin? We’d love to know if you do, and issue you a lovely little warning: if you’re holding any bitcoins on an Android phone or tablet, you may want to store your stash elsewhere. Because of a bug in the way Android generates random numbers, those who use Android devices are at risk of digital theft, according to Bitcoin.org.

Updated on 8-15-2013 by Jeffrey Van Camp: Alex Klyubin, a Google Security Engineer on the Android team has acknowledged that this is a legitimate flaw in Android. The problem, as often seems to be the case, is Java.”Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG,” said Klyubin. Translated out of geek speak, that means that Android is, as we thought, not generating random numbers correctly. 

Recommended Videos

You can find some patch code from Google on its official Android blog. We’ve also updated the links below because patches for all wallets have now been issued.

Article originally published on 8-12-2013.

Related

How to know if you’re affected: There appears to be a flaw in Google’s Android operating system, making it impossible for the OS to generate “secure random numbers,” which are needed to encrypt Bitcoin transactions.. This affects those who use Bitcoin wallet apps like Bitcoin Wallet, Blockchain.info, BitcoinSpinner, and Mycelium Wallet. Some apps, like Coinbase and Mt Gox are still secure because they don’t rely on the Android OS to generate their numbers. Every one of these apps now has a patch available to fix this vulnerability, which you can find here: Mycelium Wallet patchBitcoin Wallet patch, BitcoinSpinner patch, Blockchain.info patch.

How to to re-secure your wallet: To protect yourself, Bitcoin.org recommends you do a “key rotation” to your bitcoins. Download the fix for your Wallet app in the Google Play Store as soon as it’s available, generate a new address with the repaired random number generator, and then send your bitcoins from yourself to yourself. If anyone has “stored addresses” from your device previous to the fix, you need to contact them and give them a new one. You ca also send your bitcoins to your computer until you fix up your Android wallet.

We’re hoping those of you with actual bitcoins will understand that process better than we do. Currently, we’re bitcoin broke, so we cannot test this fix. 

If you own any bitcoins, let us know below. Have you purchased anything with them? Why do you like or dislike the platform? We’re a “bit” curious.

Editors’ Recommendations

Topics
Jeffrey Van Camp
Jeffrey Van Camp
Former Digital Trends Contributor
As DT's Deputy Editor, Jeff helps oversee editorial operations at Digital Trends. Previously, he ran the site's…
A flaw in MediaTek audio chips could have exposed Android users’ conversations
A MediaTek processor on a motherboard.

Security researchers have discovered a new flaw in a MediaTek chip used in over a third of the world’s smartphones that could have potentially been used to listen in on private conversations. The chip in question is an audio processing chip by MediaTek that’s found in many Android smartphones from vendors such as Xiaomi, Oppo, Realme, and Vivo. Left unpatched, researchers say, a hacker could have exploited the vulnerabilities in the chip to eavesdrop on Android users and even hide malicious code.
Check Point Research (CPR) reverse-engineered MediaTek’s audio chip, discovering an opening that could allow a malicious app to install code meant to intercept audio passing through the chip and either record it locally or upload it to an attacker’s server. 
CPR disclosed its findings to MediaTek and Xiaomi several weeks ago, and the four identified vulnerabilities have already been patched by MediaTek. Details on the first can be found in MediaTek’s October 2021 Security Bulletin, while information on the fourth will be published in December. 
“MediaTek is known to be the most popular chip for mobile devices,” Slava Makkaveev, Security Researcher at Check Point Software, said to Digital Trends in a press release. “Given its ubiquity in the world, we began to suspect that it could be used as an attack vector by potential hackers. We embarked research into the technology, which led to the discovery of a chain of vulnerabilities that potentially could be used to reach and attack the audio processor of the chip from an Android application.”
Fortunately, it looks like researchers caught the flaws before they could be exploited by malicious hackers. Makkaveev also raised concerns about the possibility of device manufacturers exploiting this flaw “to create a massive eavesdrop campaign;” however, he notes that his firm didn’t find any evidence of such misuse. 
Tiger Hsu, product security officer at MediaTek, also said that the company has no evidence that the vulnerability has been exploited but added that it worked quickly to verify the problem and make the necessary patches available to all device manufacturers who rely on MediaTek’s audio processors. 
Flaws like these are also often mitigated by security features in the Android operating system and the Google Play Store, and both Makkaveev and Hsu are reminding users to keep their devices updated to the latest available security patches and only install applications from trusted locations. 

Read more
Android 12 is out. Or is it? Here’s why we think Google delayed the release
Android 12 teaser images

Google released the full version of Android 12 on October 4. Or did it? The truth is that Google kinda-sorta released the full version by pushing the source to the Android Open Source Project and making builds available for sideloading. What Google did not do is release the full version of Android 12 to Pixel phones via an over-the-air (OTA) update.

According to Google, the OTA update will roll out to the Pixel phones in the next few weeks and to Samsung Galaxy, OnePlus, Oppo, Realme, Tecno, Vivo, and Xiaomi devices later this year." That's a bit disappointing, to say the least.

Read more
Google releases Pixel Buds A-Series: $99 no-frills earbuds for Android fans
Google Pixel Buds Series-A

The Google Pixel Buds A-Series are here, and as expected, they're a more affordable version of Google's previous true wireless earbuds. They achieve their lower price ($99 versus $179) by ditching a few features, but on the whole, they offer a very similar experience. Available in all-white and a new olive green color, pre-orders begin today and Google expects them to start shipping by June 17.

When Google launched the second version of the Pixel Buds (the first version wasn't a true wireless design), its signature features were hands-free access to the Google Assistant by simply saying the wake words "Hey Google," as well as a real-time translation capability.

Read more