Home > News > Google confirms Android security flaw reported by Symantec, used to rob $5,700 worth of bitcoins

Google confirms Android security flaw reported by Symantec, used to rob $5,700 worth of bitcoins

Following Symantec’s warning of a security vulnerability that may affect hundreds of thousands of Android applications, Google itself confirmed the vulnerability on Wednesday, advising developers to update their applications with more secure techniques.


The vulnerability was exploited last week by a cracker who used it to rob $5,700 worth of Bitcoins from a Bitcoin wallet. The vulnerability is centered around a weakness in Android’s cryptographic system, which has been causing many, many applications to use weak, pseudo-randomly generated numbers for security.

“We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG,” wrote Google security engineer Alex Klyubin in a blog post. “Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected.”

PRNG is an acronym for “Pseudo Random Number Generator”, a basic component in all computerized cryptography. In the case of last week’s bitcoin theft, it is possible that Android apps may have signed multiple transactions using identical security numbers, due to the Android weakness.

In a blog post, Symantec researchers further explained, “Since transactions are public on the bitcoin network, attackers scanned the transaction block chain looking for these particular transactions to retrieve the private key and transfer funds from the bitcoin wallet without the owner’s consent.”

Google recommended that developers call random numbers more explicitly in their code in order to prevent this weakness from affecting their own applications.

While this incident will definitely cause some concern over Android security, it should also call into question the wisdom of bitcoins’ public, decentralized cryptographic practices. As one reader on Ars Technica points out, “A security system relying on the honor system doesn’t go far”.

Source: Ars Technica

Brandon Shutt
Brandon is an A+ certified technician and freelance writer living in East Tennessee. He loves God, writing, science (especially technology) and philosophy. He is currently preparing to enter the field of information security.

Leave a Reply

Your email address will not be published.

Read previous post:
Geralt of Rivia slays monsters in the new The Witcher 3: The Wild Hunt cinematic trailer

In the newly released cinematic trailer for The Witcher 3: The Wild Hunt, Geralt proves that monsters don't always have...