If you access your Bitcoin wallet through certain Android mobile devices, you might want to read these views shared by cryptocurrency industry insiders.
A startup developed by the Defense Advanced Research Projects Agency (DARPA) and the Department of Homeland Security (DHS) says that it has identified several models of Android mobile devices that contained firmware, which collected sensitive personal data about their users and transmitted this sensitive data to third-party servers without disclosure or the user's consent.
Kryptowire says these devices, which were available through major US-based online retailers such as Amazon and BestBuy, were tested and found to actively transmit user and device information, including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI).
It says the firmware on these devices, which include popular smartphones such as the BLU R1 HD, also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated system privileges and was able to remotely reprogram the devices.
Kryptowire noted in a release that:
“The core of the monitoring activities took place using a commercial Firmware Over The Air (FOTA) update software system that was shipped with the Android devices we tested and were managed by a company named Shanghai Adups Technology Co. Ltd.
Our findings are based on both code and network analysis of the firmware. The user and device information was collected automatically and transmitted periodically without the user's consent or knowledge. The collected information was encrypted with multiple layers of encryption and then transmitted over secure web protocols to a server located in Shanghai. This software and behavior bypasses the detection of mobile anti-virus tools because they assume that software that ships with the device is not malware and thus, it is white-listed.
In September 2016, Adups claimed on its website to have a worldwide presence with over 700 million active users, and a market share exceeding 70% across over 150 countries and regions with offices in Shanghai, Shenzhen, Beijing, Tokyo, New Delhi, and Miami. The Adups web site also stated that it produces firmware that is integrated in more than 400 leading mobile operators, semiconductor vendors, and device manufacturers spanning from wearable and mobile devices to cars and televisions.”
While this may sound out of the ordinary, these claims highlight the risks posed by the identified firmware, of which could enhance the unauthorised access to Bitcoin private keys - if you use your wallet on these phones - which translates to the theft of your Bitcoin.
BitpayCEO Stephen Pair said this could possibly happen without the phone user's knowledge, though he didn’t state whether it could be linked to certain hackers - either state sponsored - or any entity.
He says to Cointelegraph via email:
"Yes, it could certainly happen. Bitcoin wallet software is inherently dependent on the security of the underlying platform. As such, it is possible that malicious code built into that platform could steal Bitcoin private keys (as well as any other data on the device). We would have no way of knowing who might be responsible."
Alvin Hagg, founder of Freewallet continues:
"The level of bitcoin adoption is so low in sense of mass market. The probability that someone would collect data of thousands people and than try to find access to bitcoin wallets is quite low.
However, security question is a key focus for wallet providers. We always analyze all possible patterns of hacks. As for the case of losing bitcoins due to data leakage, Freewallet users would not suffer since we don’t store sensitive information on user devices. Most part of user funds are stored offline in the vault which has multi-signuture protection. However, if you store private key on mobile device, for sure you should be prepared to the risk of losing your funds."
Mitigation
Pair emphasized some of the ways such a risk could be averted:
"One way to mitigate that risk is to use multiple devices and multi-signature wallets (a feature available in the BitPay and Copay wallets). You can also use cold storage (where key generation and signing are performed on devices that aren't connected to any network). It's a good practice not to store more than a small spending amount of Bitcoin in an online, single signature wallet regardless of what hardware or operating system you are using."
BitClub’s Joby Weeks, who said he recently lost over 100 Bitcoins to a hacker that gained unauthorised access to his accounts through his phone, has this piece of advice:
“Only keep Bitcoin on a phone wallet that you are prepared to lose. Back it up with 2 factor non SMS Authy. (2 factor SMS is not secure if your phone service provider forwards your number to the hackers without your permission) like ATT and Tmobile did to me last week!! The rest, keep in a vault or on multiple hardware wallets like Trezor or ledger.
Once ATT started forwarding my 2 factor codes (because they forwarded my phone number to the hacker without my permission), then the hacker got access to my accounts. He figured out how to break into one of my trading accounts while I was on a cruise ship and drained it. Lost over 100 Bitcoins, all my ETH, DAO, Ripple, ETC. Bummer.”