You are at: Home » Android-based Bitcoin wallets users must take action to avoid security vulnerability

Android-based Bitcoin wallets users must take action to avoid security vulnerability

Last updated on:
Fact Checker

After the discovery of a severe vulnerability in the Android implementation of the Java SecureRandom (a random number generator), is warning every user to the immediate necessity of rotating to a new address.

As a result of this vulnerability, the private keys used to operate and sign the cryptocurrency transactions on Android devices can be determined. Since the security of the system depends on the fact that each address has its own private key, which is only known by the owner of the address, this makes it easier for a malicious party to unduly spend the coins.

Everything started when users on the forums noticed than more than 55 BTC had been stolen a few hours after the client allegedly “signed” a transaction using the compromised Java SecureRandom. After the first alert, the users acknowledged the problem: they observed that SecureRandom was re-using the same random numbers for multiple transactions, which means it was compromising the private keys and putting the users’ Bitcoins at risk.

So, this Sunday (11), made an official announcement:

We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app.

An incomplete list would be wallet, BitcoinSpinner, Bitcoin Wallet and Mycelium Wallet. Apps where you don’t control the private keys at all are not affected. For example, exchange frontends like the Coinbase or Mt Gox apps are not impacted by this issue because the private keys are not generated on your Android phone.

In order to assure you won’t get caught by this vulnerability, is recommending key rotation to secure the existing wallets. “This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself. If you use an Android wallet then we strongly recommend you to upgrade to the latest version available in the Play Store as soon as one becomes available. Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one”, explains the organization.

In the meanwhile, updates are being prepared for some wallet apps: Bitcoin Wallet‘s update is in beta testing now, BitcoinSpinner’s update is also being prepared, Mycelium Wallet vo.6.5 can already be installed from Google Play or and the update of is also being prepared.

According to, “if you use Bitcoin Wallet by Andreas Schildbach, the key rotation will occur automatically soon after you upgrade. The old addresses will be marked as insecure in your address book. You will need to make a fresh backup”. This update has stopped using the SecureRandom class: instead, it reads from /dev/urandom directly.

Via and

Maria is an experienced journalist currently living in the UK. She has been writing about Bitcoin and the altcoin universe since 2013. She is also a member of the Lifeboat Foundation's New Money Systems Board and a big cryptocurrency supporter.

View all Posts by Maria Santos

Free Bitcoin Crash Course

Learn everything you need to know about Bitcoin in just 7 days. Daily videos sent straight to your inbox.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
We hate spam as much as you do. You can unsubscribe with one click.
We hate spam as much as you do. You can unsubscribe with one click.

Comments are closed.

Scroll to Top