Bitcoin.org released a security advisory over the weekend warning the Bitcoin community that any Bitcoin wallet generated on any Android device is insecure and open to theft. The insecurity appears to stem from a flaw in the Android Java SecureRandom class, which under certain circumstances can produce numbers that aren't truly nondeterministic. This can allow an attacker to work out a victim's cryptographic private key. Private keys are used to sign Bitcoin transactions; if an attacker has a victim's private key, the attacker can execute Bitcoin transactions as if he were that person.

So far, it appears that the vulnerability has been used to steal at least 55 BTC (approximately $5,720 as of this morning).

To conduct a Bitcoin transaction, a user transfers BTC from his address to the intended recipient's address; when this happens, the sender attaches the recipient's cryptographic public key to the end of that bitcoin's record (its "blockchain") and signs that addition with his own cryptographic private key. This addition is broadcast out across the Bitcoin network, and other users verify the transaction and are rewarded for their verification work with new bitcoins (this verification work, also called "mining," is currently the predominant method of Bitcoin creation). Bitcoin users can generate as many Bitcoin addresses as they like, and in fact users are encouraged to generate lots and lots of addresses to increase their anonymity—up to and including generating a brand-new address for every single transaction they'd like to make.

Private keys, as their name makes clear, must be kept private. Knowing the private key of a Bitcoin address means you can execute transactions on behalf of that address, and if that address happens to have 100 BTC in it, an attacker with the private key can legitimately transfer those BTC to another address—like one of his own. The anonymous and distributed nature of bitcoins protects against individual bitcoins being spent more than once—I can't claim I own your bitcoins and spend them, for example, because I can't validly sign your bitcoins' blockchains on your behalf. This vulnerability, though, sidesteps the protections built in against "double-spending." There's no way to "roll back" validly signed transactions—even if executed with a fraudulent key.

Currently, the flaw appears to affect any and all Bitcoin addresses generated on any and all Android Bitcoin apps, including popular apps like Bitcoin Wallet, BitcoinSpinner, Blockchain.info, and Mycelium Bitcoin Wallet. These apps generate insecure private keys with the broken SecureRandom function. Developers of the apps are aware of the issue, and new versions are being rolled out (Blockchain's new version is already available; others are in development right now).

The Genesis Block's write-up suggests a three-step mitigation process if you have any bitcoins parked at an address generated by an Android-based Bitcoin app:

1. Generate a new address on a secure random number generator. 2. Transfer all existing bitcoins to the new address. Do not send any bitcoins from this address using an Android device until the updates are implemented 3. Notify any users of your old address of the change so that the compromised address does not receive any more bitcoins.

The exploit is already active and has been used in the wild to steal bitcoins, so if you're affected, these steps should be taken ASAP. Some of the updated apps will automatically take care of new key generation when installed, but specifics will vary by application.

This flaw affects Android apps only. Bitcoin addresses generated on other platforms' apps, or via Bitcoin wallet providers' websites, are unaffected by this specific vulnerability.