Developers find Android flaw that makes bitcoin wallets vulnerable to theft

An Android flaw is compromising all wallets running on Google's mobile platform. Here's what to do.

AccessTimeIconAug 11, 2013 at 10:46 p.m. UTC
Updated Sep 10, 2021 at 11:28 a.m. UTC

Android wallet users were sent into a panic over the weekend, after Google discovered a flaw in its mobile operating system that rendered generated bitcoin addresses unsafe.

, the forum contributor who reported the bug, the way in which random numbers are generated in Android is flawed. Random numbers are used along with a private key to sign a transaction when sending from a bitcoin address. The flaw means that any random number used more than once with the same public bitcoin address enables that address to be compromised.

This problem will affect any Android-based bitcoin wallet user who has used a bitcoin address more than once. It means that a person could recover that user’s private signature by analyzing the transaction in the block chain, enabling them to spend bitcoins from that address.

If you have used the same random number more than once with the same bitcoin address when sending from an Android wallet, your bitcoins are in danger.

The solution is to generate a new bitcoin address using a repaired version of the random number generator, and then to send all your money in your wallet back to yourself, according to However, this relies on getting an updated version of your Android wallet if you're still going to use an Android-based app.

A report from Hearn suggests that an update of Andreas Schildbach’s Bitcoin Wallet has been prepared and is undergoing testing (a manual install is available via this forum posting for bitcoin users).

is preparing an update, as is Mycelium Wallet. has released an update, according to Hearn, which allows users to manually rotate keys. Another update in the next few days will automatically send all coins controlled by previous keys to the new one.

In the meantime, however, bitcoins are reportedly being stolen from compromised addresses. Over 55 bitcoins are said to have been sent to this address from compromised addresses.

The upshot of all this is that bitcoin users will learn something: never use the same bitcoin address twice. We have always known that not reusing addresses makes you less trackable online. It is also a way to protect against exploits such as these, which aren’t a fault of the bitcoin network at all, but are rather down to a flaw in a platform supporting third-party bitcoin wallet services.

It’s also worthwhile transferring coins from an online bitcoin address to a ‘cold’ offline wallet, leaving just enough coins in your hot wallet to cover basic transactions.

Finally, once your bitcoins have been transferred to the new, safe address, back up your wallet.

Image credit: Flickr / pittaya


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.