Android vulnerability to blame for $5,720 Bitcoin theft

Ars Technica reports that a weakness in Java Cryptography Architecture leaves Android users exposed, which Google has confirmed.

The flaw has wide-reaching potential effects, one of which was proved last week when a Bitcoin wallet raid saw $5,720 in BTC stolen.

This affects any Android app that uses Java Cryptography Architecture for its key generation, its signing or any other random number generation.

Apps that encrypt connections with HttpClient and Java.net are OK, though.

A security engineer from Google confirmed the vulnerability in a blog post and said others might be open to attack unless developers access their pseudo random number generators differently.

Security company Symantec blew the whistle on the flaw a few hours earlier, warning that “hundreds of thousands of Android apps” could be affected. Symantec estimated some 360,000 programs use SecureRandom, a number generator JCA provides.

All versions of Android are susceptible.

Pseudo random number generators work by making sure the numbers a computer produces are long enough that they are impossible to predict, which is key to many crypto applications.

Ars compares it to tossing a shaker full of dice.

The exploitation appeared to take advantage of a repeated identical number that was unique to individual computers but evident across the Bitcoin blockchain.

Google’s blog post suggested developers update any apps that use JCA for random number generation and perhaps regenerate their crypto keys and generated random values created by such programs.