Google created patches to take care of the vulnerability in Android that could end up compromising Bitcoin wallets.
The issue lies in the SecureRandom class implementation.
“We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG,” said Android Security Engineer Alex Klyubin.
“Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected. Applications that establish TLS/SSL connections using the HttpClient and java.net classes are not affected as those classes do seed the OpenSSL PRNG with values from /dev/urandom,” he said.
Android developed patches to make sure the OpenSSL PRNG ends up correctly initialized. In addition, developers who use JCA for key generation, signing, or random number generation have information on how to address the issue.
According to Symantec, over 360,000 Android apps make use of SecureRandom. More than 320,000 of these use SecureRandom in the same way as the Bitcoin wallets do.
“Certain Bitcoin wallets applications using Android’s SecureRandom signed multiple transactions using an identical ‘random’ number. Since transactions are public on the Bitcoin network, attackers scanned the transaction block chain looking for these particular transactions to retrieve the private key and transfer funds from the Bitcoin wallet without the owner’s consent,” the company said.
In addition, the issue impacts all versions of Android, not just the 4.2 and earlier variants.
In the meantime, the initial post on Bitcoin.org updated to clarify that updates are out for Bitcoin Wallet, BitcoinSpinner, blockchain.info and Mycelium Bitcoin Wallet.