Mobile Phone / Hand-held Device
Loss of Confidentiality
Discovered in the Wild
Android contains a flaw related to improper initialization of the underlying OpenSSL PRNG that is triggered when an application e.g. uses the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation. This may result in non-cryptographically strong values being generated, which could allow attackers to have various impacts depending on the affected application (e.g. compromise a user's Bitcoin wallet).
The vendor has released a patch to OHA partners, addressing this vulnerability by ensuring the Android OpenSSL PRNG is initialized correctly.
Upgrade to version 3.15 for Bitcoin Wallet, version 0.7.0 for Mycelium Bitcoin Wallet, version 0.8.3b for BitcoinSpinner, and version 3.54 for Blockchain, or higher, to address this vulnerability.