How was my mobile wallet hacked?

[nepovim]

This happened to me tonight, although not with as big amount.

The wallet I installed was Blockchain.info Wallet from Google Play. The reason I chose to install this software was, because it allows to spend unconfirmed balances and I didn't want to wait between buying coins in the ATM and spending them for a beer. I chose to create a new wallet, scanned the code and charge it with some bits: https://blockchain.info/tx/358229fc237ce2653dbad4dd18b10f244c705f0a649c473a4bcb708daf373eac (1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F)


I wanted to spend some of it right afer that, but it didn't submit... One or two minutes later, these funds were transfered somewhere else:
https://blockchain.info/tx/d700a81eaa5fb61800bba77639a84a6c29c42b7158521f7a886ed0207848dc5c
https://blockchain.info/tx/2b49fd78440ad80ddacd3587f968411fb110213137b33e42f46141e9616ab92f (1M9D9jbZz9yRDXPpGxQtjrF7KGUcTVPNy5)

My phone is obviously compromised and 0.167 of my moeny is lost. Backup created this file, but it is password protected and I don't think it is of any use anyway: https://www.dropbox.com/s/eb9h6olulm40c9w/wallet-2015-05-19.aes.json?dl=0

Be careful, when you create a new wallet. Make sure it doesn't have a history.

[tspacepilot]

If I understand you, you're saying that when you downloaded and installed a wallet program you tried to create a new address but you got this one instead:

https://blockchain.info/address/1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F

As you saying that the particular app on the google play is actually a malware which gives people compromised addresses?  If so, you should probably try to report it on the play store.  If this is the case, you can't be the only one who has experienced this.  Are you sure you got the app signed by blockchain.info and not some look-a-like one?

[goosoodude]

That address is spend-linked to a number of other addresses including:

Code:

17hFzTAaYiDaqGBwCgtwH6sdr4RK3vjAbp	
17avRbXtw6f7GBT5Ki9Zfg8L8gdD9Gui8r
1AroiyB3HqsFXmF3GMXHfjgR8S6vPW2ziK
1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F
1KT1bvm6ve6TukaULJ7JBH5EEQNyREUfsa
1HmMxpXbTcBxaCsDuWHRssySe8yz5iWV8K
165UoWuFHJfR27dpAcPsFiCQiLpuyMXkAc
1D6QHawAYYYTGrV11cpsjcggm2sg8zweCE
1QJfZrkLCdPdBCHtfHU5hki3aQFDMt1DRm
1JsyLdKXKAezLEsn2J6fTNwj6NKonTaYnk
1M9D9jbZz9yRDXPpGxQtjrF7KGUcTVPNy5
179yjfLjyhMDDwvgyjEqkZqBWgUCNLZSFi
1DiNFtxzRyx9jGD7v4Xfsc2jZTXeE4f8Yf
1DPv3GdjjxJJYqSvfgu7oMGURCSUniS8dr
17CgV9HvkJeC6ge5oyngpJ1j7DLmRY83sr
1CHELMEgEmx7amCqdDzn7s5MhWg4eRuVKf
1KESqxPF5WjChKpW4BwYbZ94Dc2RweWyeL
13UVfSDciWMRYmTm8Cc1eoHpY5kNTosezx
18BNnFBsiuWNJiqrJhQkHZL6ywuwR9d9R1
14e8hMvdz5geDegAgYF7VELQE4cFRHNQPT
12QABDg9eNTH9x3sWtEZ94UQh8B7djhc4a
16mkHo8USZpHSyZQoim8DzNtVZjQv9oc27
18tYPwUvYXmEZvVaUSiDXMDvHL2HjK2uAo
1MRzwcZodKWUNKE3LHfctZ1ax4fobaHJZ4
1CBJASqXfELmkU9u7kbYs7hkAYyRG6P6Kr
1Lh1wncZnGjeksHMXgPzMREJZkuVrEn1XN
1J8rEn2DGDLLYQxWwJuVh7B1fj1Ebb3wiJ
15ZLvKsafJDUPE1LWPCRrCBa1vGVmGPePu
17NZ49ndzAoihpuJyazWm8YtszGVn3SSLg
1MxS8AiJrfk4ra7kHdTsWZdSZ1myAiZr11
1NZBgQiQHyMc3Ec9eQYoRwSnauLTBkXpjh
141zM4gjhBzwpb5hqDj7xryDkYZCigUEKa
179w5ZgRePzLWjb3ReG42eNJyiV8UePAiY
17gJKwYFtCdznB8TDgJWZwZqD8ZTpGiQ5K
1HDqj5fvDap3EcWhkWfVRSpWxiQfHMarrg
1BDF295Y434DXZR6RqEDSteYyxQxUfLF1d
1HVH8zWQfuTyDfp39S2mERUavE5MUdq4sr
19iiNC9vgLhYikAR6WdW8vvey7qcQu4tza
141QgsHaJRviDuF8ZCFcEmaJSTPvijmheG
13wD39dLvgrvjfdhtNfeu5iHsXA3X4uBRj
14arXV2QzddSh84DSnnG5cdxp1WVXema75
15PSKDjn9nEenCtrppLU6gQuiTUqpSX7KU
15ZRjee46qkwmzbRb2KeWSj4vbvRbqD3Eu
1BgMVxKE7Ewd29wCzeyKDZCvCmENN2KPZF
1GfqycM9F2b3KkTTA7q4rkLuTd8jdajnLJ
1H9gxxuiuN872o88W6mjUGrs9VSu1McVWX
1LKFU1f4HKK4JCCBRBuKQLyMCZnBpt1Vzt
1DCZkjQCEGmbava6D8C6vrkMvnKgESid3J
1PXoXC5X3XMZAMcjqCHMMQXXyhmKAmhrs6
14Ax84z2QCRF5wqVoo4AyofVHgxAFMviGF
1PbH8YUn5Cv1MGfc2ERdVUJDamvreazKxY

Interestingly it appears that every time that funds are spent from that address that the wallet is not emptied, sometimes leaving as much as .2 BTC unspent within the addresses spend linked together. Additionally, it appears that when funds are spent from addresses linked together, they are spent to various other wallets that are linked together.

Both of the above would be imply that the addresses was in fact not created with a weak RNG with the intention of stealing funds of users who send funds to addresses created by the wallet.

Your description of the situation would imply that the wallet software that you downloaded creates addresses with a weak RNG, allowing the dev of the wallet to know which addresses users of the wallet will create in order to allow him to steal funds.

I do not have access to a VM that would allow me to safely download and open the file you linked, so I am not able/willing to take a look at your file, and I would recommend that anyone trying to help not open the file without the safety of a VM

[nepovim]

Originally I wanted to reply to another topic, somehow I created a new topic instead.

I'm not sure how this thing was done technically. Possibilities that I can think of:

• I installed some malware with some other application.
• Malware somehow installed without my action.
• Man-in-the-middle replaced downloaded package with compromised one.
• Original package is hacked

I'm not sure how to investigate this situation.

[goosoodude]

Originally I wanted to reply to another topic, somehow I created a new topic instead.

I'm not sure how this thing was done technically. Possibilities that I can think of:

• I installed some malware with some other application.
• Malware somehow installed without my action.
• Man-in-the-middle replaced downloaded package with compromised one.
• Original package is hacked

I'm not sure how to investigate this situation.

Why don't you post a link to the site that you downloaded the bc.i wallet from on the google play store? Once you do that, someone can potentially try to recreate your experience. I would personally doubt that the theft is due to any of the above, but rather that the theft (if in fact is legit) is due to using a version of a wallet that creates addresses that are easily predetermined to the dev who created the wallet software. 

[Xialla]

ohh fuck, sorry for your loss, but it seems that we had some scamming retard here.

just try to contact weebly and gather as much as possible about owner/admin of http://kidcratedigger.weebly.com/contact--donations.html

(

[spin]

On blockchain.info it has some weird label: "00000123456":  
https://blockchain.info/address/1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F

This seems to be a bug?  Is this some brainwallet?

[Muhammed Zakir]

On blockchain.info it has some weird label: "00000123456": 
https://blockchain.info/address/1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F

This seems to be a bug?  Is this some brainwallet?

That label was added by the owner of that address. Anybody can label address they own in Blockchain.info - https://blockchain.info/tags

P.S. 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F & 1M9D9jbZz9yRDXPpGxQtjrF7KGUcTVPNy5 are linked with many other addresses. We might get something from any of those addresses. https://www.walletexplorer.com/wallet/08fc8ad4e41d607d/addresses

Edit:

-snip-
Both of the above would be imply that the addresses was in fact not created with a weak RNG with the intention of stealing funds of users who send funds to addresses created by the wallet.

Your description of the situation would imply that the wallet software that you downloaded creates addresses with a weak RNG, allowing the dev of the wallet to know which addresses users of the wallet will create in order to allow him to steal funds.
 -snip-

Does it has to do anything with Android RNG vulnerability but it is two year old thing? https://bitcoin.org/en/alert/2013-08-11-android

[Andre#]

Another victim:

http://www.reddit.com/r/Bitcoin/comments/37ei2b/ive_just_been_hacked_6_btc_to/

[spin]

On blockchain.info it has some weird label: "00000123456": 
https://blockchain.info/address/1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F

This seems to be a bug?  Is this some brainwallet?

That label was added by the owner of that address. Anybody can label address they own in Blockchain.info - https://blockchain.info/tags

In that case the tag should tell us about the hacker, as it's most likely the hacker who gave it the label?

[spin]

https://blockchain.info/address/1BU265DRxUGJsA9gX8RqyuWkMGD8AMjyR9
Also has the same tag:00000123456

[Muhammed Zakir]

On blockchain.info it has some weird label: "00000123456": 
https://blockchain.info/address/1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F

This seems to be a bug?  Is this some brainwallet?

That label was added by the owner of that address. Anybody can label address they own in Blockchain.info - https://blockchain.info/tags

In that case the tag should tell us about the hacker, as it's most likely the hacker who gave it the label?

Yes but I don't think you should completely trust that labeling because I can label an address I created with your name. This can also be a trap for someone else. IDK.