Security Threats from Bitcoin Wallet Smartphone Applications: Vulnerabilities, Attacks, and Countermeasures

Nowadays, Bitcoin is the most popular cryptocurrency. With the proliferation of smartphones and the high-speed mobile Internet, more and more users have started accessing their Bitcoin wallets on their smartphones. Users can download and install a variety of Bitcoin wallet applications (e.g., Coinbase, Luno, Bitcoin Wallet) on their smartphones and access their Bitcoin wallets anytime and anywhere. However, it is still unknown whether these Bitcoin wallet smartphone applications are secure or if they are new attack surfaces for adversaries to attack these application users. In this work, we explored the insecurity of the 10 most popular Bitcoin wallet smartphone applications and discovered three security vulnerabilities. By exploiting them, adversaries can launch various attacks including Bitcoin deanonymization, reflection and amplification spamming, and wallet fraud attacks. To address the identified security vulnerabilities, we developed a phone-side Bitcoin Security Rectifier to secure Bitcoin wallet smartphone application users. The developed rectifier does not require any modifications to current wallet applications and is compliant with Bitcoin standards.

[1]  Andreas M. Antonopoulos,et al.  Mastering Bitcoin: Unlocking Digital Crypto-Currencies , 2014 .

[2]  Mauro Conti,et al.  A Survey on Security and Privacy Issues of Bitcoin , 2017, IEEE Communications Surveys & Tutorials.

[3]  Michael Brengel,et al.  Identifying Key Leakage of Bitcoin Users , 2018, RAID.

[4]  Adam Doupé,et al.  Behind closed doors: measurement and analysis of CryptoLocker ransoms in Bitcoin , 2016, 2016 APWG Symposium on Electronic Crime Research (eCrime).

[5]  Jiawei Li,et al.  The Dark Side of Operational Wi-Fi Calling Services , 2018, 2018 IEEE Conference on Communications and Network Security (CNS).

[6]  Satoshi Nakamoto Bitcoin : A Peer-to-Peer Electronic Cash System , 2009 .

[7]  Michaël Rusinowitch,et al.  Automated Verification of Electrum Wallet , 2016, Financial Cryptography Workshops.

[8]  Ghassan O. Karame,et al.  Is Bitcoin a Decentralized Currency? , 2014, IEEE Security & Privacy.

[9]  Edward C. Malthouse,et al.  The Value of Online Customer Reviews , 2016, RecSys.

[10]  Mauro Conti,et al.  On the Economic Significance of Ransomware Campaigns: A Bitcoin Transactions Perspective , 2018, Comput. Secur..

[11]  Seungwon Shin,et al.  Cybercriminal Minds: An investigative study of cryptocurrency abuses in the Dark Web , 2019, NDSS.

[12]  Ghassan O. Karame,et al.  On the privacy provisions of Bloom filters in lightweight bitcoin clients , 2014, IACR Cryptol. ePrint Arch..

[13]  Mauro Conti,et al.  Mind your wallet's privacy: identifying Bitcoin wallet apps and user's actions through network traffic analysis , 2019, SAC.

[14]  Mauro Conti,et al.  Cryptomining Cannot Change Its Spots: Detecting Covert Cryptomining Using Magnetic Side-Channel , 2020, IEEE Transactions on Information Forensics and Security.