Bitcoin Forum
December 09, 2016, 10:04:04 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: android malware? (I get different invalid certificates when browsing bitcoin ...  (Read 1759 times)
giszmo
Legendary
*
Offline Offline

Activity: 1568


¡ɥɔʇɐʍ ʇsnɾ &#7


View Profile WWW
December 01, 2011, 11:35:29 AM
 #1

Hi,

when I try to visit instawallet.org via my android phone I get a certificate warning and the certificate I get presented dates to 2006-09-17 while the one I see when I go there with my desktop browser dates to something this year.

Strangely searching for instawallet here on the forum returned zero results!?!?

Any ideas anybody?

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
EhVedadoOAnonimato
Hero Member
*****
Offline Offline

Activity: 616



View Profile
December 01, 2011, 11:48:50 AM
 #2

Were you using Orbot?

Also, is the CA the same? I see a StartCom certificate that expires on 25/04/2012.
Deafboy
Hero Member
*****
Offline Offline

Activity: 484



View Profile WWW
December 01, 2011, 12:05:12 PM
 #3

Correct certificate for me. StartCom, same date...
Check your phone and network. Try another device on same network or same device on different network. Have you installed some bitcoin related SW from market?
giszmo
Legendary
*
Offline Offline

Activity: 1568


¡ɥɔʇɐʍ ʇsnɾ &#7


View Profile WWW
December 01, 2011, 12:07:47 PM
 #4

On my desktop I get this fingerprint:
87 88 81 6A D8 5B 78 99 DD D5 BC 73 24 00 93 68 C3 20 DE B7 B2 8B 34 1C AA 56 7E 9D 96 48 D5 B2

On my phone I don't know how to get hands on the fingerprint but here are more details:
Assigned to (*):
Common name: StartCom Certification Authority

Assigned by:
Common name: StartCom Certification Authority

Valid: 2006-09-17 to 1936-09-17 (yes, 1936)


On Desktop I assume I see the same like you:
Assigned to (*):
www.instawallet.org
Persona Not Validated
StartCom Free Certificate Member

Assigned by:
StartCom Class 1 Primary Intermediate Server CA
StartCom Ltd.
Secure Digital Certificate Signing

Valid: 2011-04-26 to 2012-04-26

giszmo
Legendary
*
Offline Offline

Activity: 1568


¡ɥɔʇɐʍ ʇsnɾ &#7


View Profile WWW
December 01, 2011, 12:16:46 PM
 #5

this is getting interesting. the forum has the same problem. non-trusted issuer StartCom something. So a malware in the wild?
How do i debug this?
I have the Schildbach client on my phone and i'm somehow concerned now.

Somehow I don't think that the google market was the vector here. If the Schildbach wallet was compromised there would be no need to mess around with certificates. I am very paranoid about trusting bitcoin apps (see this forum).
I recently installed 40 apps around flash cards, so yes, I do have many apps but as soon as it is about bitcoin I don't touch it.

EhVedadoOAnonimato
Hero Member
*****
Offline Offline

Activity: 616



View Profile
December 01, 2011, 12:39:00 PM
 #6

Interesting...

From my phone I see the same certificate that from my desktop. If you're not using any proxy to connect your phone to instawallet, then it's probably malware.
giszmo
Legendary
*
Offline Offline

Activity: 1568


¡ɥɔʇɐʍ ʇsnɾ &#7


View Profile WWW
December 01, 2011, 12:46:40 PM
 #7

I was able to send my coins out of the schildbach client to my desktop and will further investigate. well ... my brother will. said something about root certificate voodoo on some router something.

EhVedadoOAnonimato
Hero Member
*****
Offline Offline

Activity: 616



View Profile
December 01, 2011, 01:12:26 PM
 #8

You're on 3G or wifi? Does the problem remain if you switch the way you connect to the Internet?

It's true that any router may be trying to trick you, but it is unlikely that a professional ISP is doing it.
giszmo
Legendary
*
Offline Offline

Activity: 1568


¡ɥɔʇɐʍ ʇsnɾ &#7


View Profile WWW
December 01, 2011, 01:23:53 PM
 #9

actually the problem first occurred when i tried to show bitcoin to a friend on tuesday (3g)
and persists today here at home (plane mode with wifi).

I "$ adb shell"ed into my phone and checked the ip via ping but this looked fine. Next I try an alternative browser.

giszmo
Legendary
*
Offline Offline

Activity: 1568


¡ɥɔʇɐʍ ʇsnɾ &#7


View Profile WWW
December 01, 2011, 01:28:01 PM
 #10

with the dolphin browser I get the same certificate warning.

EhVedadoOAnonimato
Hero Member
*****
Offline Offline

Activity: 616



View Profile
December 01, 2011, 03:01:47 PM
 #11

Hum... from two different Internet connections it is hard to believe a router is malicious... it would need to be some sort of backbone router shared both by your home wifi and your 3g.

On the other hand, why would a malware bother about faking a certificate? It is running locally, it could modify your browser itself and make it believe it's sending data to the correct server while it is not. Unless the fact that by default Android apps do not have root privilege prevents malwares from doing things like that.

Summarizing, I don't have a clue about what's going on.
giszmo
Legendary
*
Offline Offline

Activity: 1568


¡ɥɔʇɐʍ ʇsnɾ &#7


View Profile WWW
December 01, 2011, 09:13:31 PM
 #12

I would say it is some kind of DNS poisoning. My A/B-test with dolphin was more of an A/A-test as my brother told me so I tried firefox as well and there I get no certificate warning. On the other hand in ff for android there is no way to see the certificate details neither so I'm a bit nervous. Installing Opera atm.

giszmo
Legendary
*
Offline Offline

Activity: 1568


¡ɥɔʇɐʍ ʇsnɾ &#7


View Profile WWW
December 01, 2011, 09:17:41 PM
 #13

ff said the certificate was issued by "StartCom" (like the stock browser and dolphin) but without a warning.

opera does not allow to get any details about the https certificate

westkybitcoins
Legendary
*
Offline Offline

Activity: 980

Firstbits: Compromised. Thanks, Android!


View Profile
December 04, 2011, 02:17:12 PM
 #14

For the record...

I'd noticed I've been having some issues like this with my Android smartphone as well. I emailed the owner of StrongCoin about it, and he acknowledged that he is hosting (on a cloud server) with the company named on the mismatched certificate I saw. Apparently they use a newer SSL protocol which tries to handle non-fixed IP addresses but can be quirky with some browsers. I can see how smartphone browsers would be the ones that don't quite mesh well with it.

I tried Firefox for Android and had no issues.

Bitcoin is the ultimate freedom test. It tells you who is giving lip service and who genuinely believes in it.
...
...
In the future, books that summarize the history of money will have a line that says, “and then came bitcoin.” It is the economic singularity. And we are living in it now. - Ryan Dickherber
...
...
ATTENTION BFL MINING NEWBS: Just got your Jalapenos in? Wondering how to get the most value for the least hassle? Give BitMinter a try! It's a smaller pool with a fair & low-fee payment method, lots of statistical feedback, and it's easier than EasyMiner! (Yes, we want your hashing power, but seriously, it IS the easiest pool to use! Sign up in seconds to try it!)
...
...
The idea that deflation causes hoarding (to any problematic degree) is a lie used to justify theft of value from your savings.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!