Researcher Discovers Serious Vulnerability In Paper Crypto Wallet Site (#GotBitcoin?)
A security researcher from MyCrypto.com, Harry Denley, has posted a detailed – and damning – analysis of paper wallet site WalletGenerator.net. Researcher Discovers Serious Vulnerability In Paper Crypto Wallet Site (#GotBitcoin?)
The core of the analysis hinges on WalletGenerator’s original open-source code, available here. Until August 17, 2018 the online code matched the open-source code and the entire project generated wallets using a client-side technique that took in real random entropy and produced a unique wallet. But sometime after that date the two sets of code stopped matching.
The result? The very real possibility that WalletGenerator is giving the same keys to multiple users. To test this, MyCrypto’s researcher ran the generator in bulk and got some odd results.
“Approaching from a different angle, we then used the “Bulk Wallet” generator to generate 1,000 keys. In the non-malicious, GitHub version, we are given 1,000 unique keys, as expected.
However, using WalletGenerator.net at various times between May 18, 2019 — May 23, 2019, we would only get 120 unique keys per session. Refreshing our browser, switching VPN locations, or having a different party perform the same test would result in a different set of 120 keys being generated.”
While the odd behavior was not found as of last Friday (May 24), it could be return at any time.
“We’re still considering this highly suspect and still recommending users who generated public / private keypairs after August 17, 2018, to move their funds,” the researcher says. “We do not recommend using WalletGenerator.net moving forward, even if the code at this very moment is not vulnerable.”
You can read the entire report here, but Denley recommends moving funds off of your WalletGenerator-based paper wallets. As there is no clear way to contact the “two random guy [sic] having fun with a side project” who apparently run the site, we can safely recommend you avoid the site altogether.
Global Android Vulnerability Could Grab Wallet And Banking Data
A newly-discovered vulnerability, called StrandHogg, could allow hackers access to private data on almost any Android phone and has already been used to access banking information. Documented by security firm Promon, the exploit affects all versions of Android.
The StrandHogg exploit isn’t particularly new – security researchers have known about a proof-of-concept version since 2015. A working, and potentially dangerous, version of the exploit only recently appeared in the wild hidden inside malware that has been propagating across the internet for the past year. Promon created an informational page for the exploit after discovering how widespread and dangerous it could be.
The exploit interrupts the flow of an app from launch to welcome screen and forces a user to give a piece of malware powerful permissions before letting the legitimate app run.
“Our researchers focused on describing the vulnerability, as such, but we also collaborated with Lookout Security who contributed some parts by scanning their datasets of malware. They found 36 malicious apps that exploit the flaw,” said Lars Lunde Birkeland, Promon’s Marketing & Communication Director.
“We tested the top 500 most popular apps and all of them are vulnerable,” he said.
All versions of Android, including Android 10, are affected and even patched, seemingly secure phones are allegedly vulnerable according to Promon.
Hiding In Plain Sight
The exploit works by highjacking a legitimate app as it’s launched on almost any Android phone. Instead of going to the welcome screen or login page, the exploit allows a piece of malware to display so-called permissions pop-ups, the kind that asks if the app can access your contacts, location, and stored data. When you approve the request, the malware is given all of the permissions instead of the legitimate app, which continues to run as if nothing happened.
“The victim clicks on the legit app but instead of being directed to the legit app the malware tricks the device to show a permission pop-up. The victim gives the malware and the attacker the permissions and then you’re redirected to the legit app,” said Birkeland.
The researchers found that a Trojan program called BankBot used the exploit to give itself powerful permissions that could intercept SMS messages, log keypresses, forward calls, and even lock a phone until you pay a ransom, a concern for anyone running banking, financial, or wallet apps on their phone.
“It’s a well-known banking Trojan and is seen in every country in the world,” said Birkeland.
The exploit can also show a fake login page for some apps on some Android phones but the permissions exploit is far more common.
“The vulnerability is quite serious. You, as an attacker, are able to carry out quite powerful attacks,” said Birkeland.
Promon discovered the malware when “several banks in the Czech Republic had reported money disappearing from customer accounts,” wrote the researchers.
“From here, through its research, Promon was able to identify the malware was being used to exploit a dangerous Android vulnerability. Lookout, a partner of Promon, also confirmed that they have identified 36 malicious apps exploiting the vulnerability. Among them were variants of the BankBot banking trojan observed as early as 2017,” they wrote.
“While Google has removed the affected apps, to the best of our knowledge, the vulnerability has not yet been fixed for any version of Android (incl. Android 10),” wrote the researchers.
Why is it called Strandhogg? That has to do with the company’s Swedish roots.
“The vulnerability has been named by Promon as ‘StrandHogg’, old Norse for the Viking tactic of raiding coastal areas to plunder and hold people for ransom,” wrote the researchers.
“We appreciate the researchers work, and have suspended the potentially harmful apps they identified. Google Play Protect detects and blocks malicious apps, including ones using this technique. Additionally, we’re continuing to investigate in order to improve Google Play Protect’s ability to protect users against similar issues,” said a Google spokesperson regarding the exploit.
Researcher Discovers Serious Vulnerability, Researcher Discovers Serious Vulnerability