skip to main content
10.1145/3422337.3447832acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
research-article
Public Access

Security Threats from Bitcoin Wallet Smartphone Applications: Vulnerabilities, Attacks, and Countermeasures

Published: 26 April 2021 Publication History

Abstract

Nowadays, Bitcoin is the most popular cryptocurrency. With the proliferation of smartphones and the high-speed mobile Internet, more and more users have started accessing their Bitcoin wallets on their smartphones. Users can download and install a variety of Bitcoin wallet applications (e.g., Coinbase, Luno, Bitcoin Wallet) on their smartphones and access their Bitcoin wallets anytime and anywhere. However, it is still unknown whether these Bitcoin wallet smartphone applications are secure or if they are new attack surfaces for adversaries to attack these application users. In this work, we explored the insecurity of the 10 most popular Bitcoin wallet smartphone applications and discovered three security vulnerabilities. By exploiting them, adversaries can launch various attacks including Bitcoin deanonymization, reflection and amplification spamming, and wallet fraud attacks. To address the identified security vulnerabilities, we developed a phone-side Bitcoin Security Rectifier to secure Bitcoin wallet smartphone application users. The developed rectifier does not require any modifications to current wallet applications and is compliant with Bitcoin standards.

Supplementary Material

MP4 File (CODASPY21-fp331.mp4)
Paper Presentation -Security Threats from Bitcoin Wallet Smartphone Applications: Vulnerabilities, Attacks, and Countermeasures Nowadays, Bitcoin is the most popular cryptocurrency. With the proliferation of smartphones and the high-speed mobile Internet, more and more users have started accessing their Bitcoin wallets on their smartphones. However, it is still unknown whether these Bitcoin wallet smartphone applications are secure. In this work, we explored the insecurity of the 10 most popular Bitcoin wallet smartphone applications and discovered three security vulnerabilities. By exploiting them, adversaries can launch various attacks. To address the identified security vulnerabilities, we developed a phone-side Bitcoin Security Rectifier. The developed rectifier does not require any modifications to current wallet applications and is compliant with Bitcoin standards.

References

[1]
From dell to rakuten: 10 most popular vendors that accept bitcoin. https://cointelegraph.com/news/from-dell-to-rakuten-10-most-popular-vendors-that-accept-bitcoin, 2016.
[2]
Murmurhash3 hash function. https://sites.google.com/site/murmurhash/, 2017.
[3]
Bitcoin protocol. https://en.bitcoin.it/wiki/Protocol_documentation, 2018.
[4]
Trudy. https://github.com/praetorian-inc/trudy, 2018.
[5]
9 cities offer largest free wifi networks. https://interestingengineering.com/these-9-cities-offer-the-largest-free-wifi-networks, 2019.
[6]
Aircrack-ng. https://www.aircrack-ng.org/, 2019.
[7]
Bitcoinj library. https://github.com/bitcoinj/bitcoinj, 2019.
[8]
Blockchain.info. https://www.blockchain.com/, 2019.
[9]
Do you know what level of domestic face recognition monitoring is achieved. https://zhuanlan.zhihu.com/p/39868461, 2019.
[10]
Networkpacketcapture. https://rb.gy/hntp8w, 2019.
[11]
Profile battery usage with batterystats and battery historian. https://developer.android.com/studio/profile/battery-historian, 2019.
[12]
Real time facial surveillance. https://rb.gy/ozuzbw, 2019.
[13]
A simple arp spoofer for windows. https://github.com/alandau/arpspoof, 2019.
[14]
Status of 4g/lte and lte-a networks globally. http://www.haddentelecoms.com/sites/default/files/2019-02/Status-of-LTE-networks-globally-02-2019.pdf., 2019.
[15]
Tool 78: Reset every tcp packet. http://www.cis.syr.edu/~wedu/Teaching/cis758/netw522/netwox-doc_html/tools/78.html, 2019.
[16]
Version 1 bitcoin addresses. https://en.bitcoin.it/wiki/Technical_background_of_version_1_Bitcoin_addresses#Collisions_.28lack_thereof.29, 2019.
[17]
Voice over wifi (vowifi) market. https://rb.gy/zktie2, 2019.
[18]
Bitcoin. https://en.wikipedia.org/wiki/Bitcoin, 2020.
[19]
Bitcoin core. https://bitcoincore.org/en/about/, 2020.
[20]
Bitcoin explorer. https://www.blockchain.com/explorer, 2020.
[21]
Cisco annual internet report. https://rb.gy/thfl1p, 2020.
[22]
Face detection and recognition homepage. https://facedetection.com/, 2020.
[23]
Mobirink-start promoting your app. https://mobirink.com/, 2020.
[24]
Social catfish. https://socialcatfish.com/reverse-image-search/, 2020.
[25]
Surveillance camera statistics. https://rb.gy/anniu4, 2020.
[26]
Aiolli, F., Conti, M., Gangwal, A., and Polato, M. Mind your wallet's privacy: identifying bitcoin wallet apps and user's actions through network traffic analysis. In Proceedings of the 34th ACM/SIGAPP SAC (2019), pp. 1484--1491.
[27]
Antonopoulos, A. M. Mastering Bitcoin: unlocking digital cryptocurrencies. "O'Reilly Media, Inc.", 2014.
[28]
Askalidis, G., and Malthouse, E. C. The value of online customer reviews. In Proceedings of ACM Conference on Recommender Systems (2016), pp. 155--158.
[29]
Brengel, M., and Rossow, C. Identifying key leakage of bitcoin users. In International Symposium on Research in Attacks, Intrusions, and Defenses (2018), Springer, pp. 623--643.
[30]
Conti, M., Gangwal, A., and Ruj, S. On the economic significance of ransomware campaigns: A bitcoin transactions perspective. Computers & Security 79 (2018), 162--189.
[31]
Conti, M., Kumar, E. S., Lal, C., and Ruj, S. A survey on security and privacy issues of bitcoin. IEEE Communications Surveys & Tutorials 20, 4 (2018), 3416--3452.
[32]
Developers, B. W. Bitcoin wallet. https://play.google.com/store/apps/details?id=de.schildbach.wallet&hl=en_US, 2019.
[33]
Gangwal, A., and Conti, M. Cryptomining cannot change its spots: Detecting covert cryptomining using magnetic side-channel. IEEE Transactions on Information Forensics and Security 15 (2019), 1630--1639.
[34]
Gervais, A., Capkun, S., Karame, G. O., and Gruber, D. On the privacy provisions of bloom filters in lightweight bitcoin clients. In Proceedings of the 30th Annual Computer Security Applications Conference (2014), pp. 326--335.
[35]
Gervais, A., Karame, G. O., Capkun, V., and Capkun, S. Is bitcoin a decentralized currency? IEEE security & privacy 12, 3 (2014), 54--60.
[36]
Lee, S., Yoon, C., Kang, H., Kim, Y., Kim, Y., Han, D., Son, S., and Shin, S. Cybercriminal minds: an investigative study of cryptocurrency abuses in the dark web. In NDSS (2019), Internet Society, pp. 1--15.
[37]
Liao, K., Zhao, Z., Doupé, A., and Ahn, G.-J. Behind closed doors: measurement and analysis of cryptolocker ransoms in bitcoin. In APWG Symposium on Electronic Crime Research (eCrime) (2016), pp. 1--13.
[38]
Nakamoto, S. Bitcoin: A peer-to-peer electronic cash system. Tech. rep., Manubot, 2019.
[39]
Turuani, M., Voegtlin, T., and Rusinowitch, M. Automated verification of electrum wallet. In International Conference on Financial Cryptography and Data Security (2016), Springer, pp. 27--42.
[40]
Xie, T., Tu, G.-H., Li, C.-Y., Peng, C., Li, J., and Zhang, M. The dark side of operational wi-fi calling services. In IEEE CNS (2018), pp. 1--1.

Cited By

View all
  • (2024)An ensemble learning method for Bitcoin price prediction based on volatility indicators and trendEngineering Applications of Artificial Intelligence10.1016/j.engappai.2024.107991133:PAOnline publication date: 1-Jul-2024
  • (2024)WalletRadar: towards automating the detection of vulnerabilities in browser-based cryptocurrency walletsAutomated Software Engineering10.1007/s10515-024-00430-331:1Online publication date: 31-Mar-2024
  • (2023)Blockchain Technology and Related Security Risks: Towards a Seven-Layer Perspective and TaxonomySustainability10.3390/su15181340115:18(13401)Online publication date: 7-Sep-2023
  • Show More Cited By

Index Terms

  1. Security Threats from Bitcoin Wallet Smartphone Applications: Vulnerabilities, Attacks, and Countermeasures

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      CODASPY '21: Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy
      April 2021
      348 pages
      ISBN:9781450381437
      DOI:10.1145/3422337
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 26 April 2021

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. bitcoin wallets
      2. blockchain
      3. mobile networks
      4. security

      Qualifiers

      • Research-article

      Funding Sources

      Conference

      CODASPY '21
      Sponsor:

      Acceptance Rates

      Overall Acceptance Rate 149 of 789 submissions, 19%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)332
      • Downloads (Last 6 weeks)32
      Reflects downloads up to 13 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)An ensemble learning method for Bitcoin price prediction based on volatility indicators and trendEngineering Applications of Artificial Intelligence10.1016/j.engappai.2024.107991133:PAOnline publication date: 1-Jul-2024
      • (2024)WalletRadar: towards automating the detection of vulnerabilities in browser-based cryptocurrency walletsAutomated Software Engineering10.1007/s10515-024-00430-331:1Online publication date: 31-Mar-2024
      • (2023)Blockchain Technology and Related Security Risks: Towards a Seven-Layer Perspective and TaxonomySustainability10.3390/su15181340115:18(13401)Online publication date: 7-Sep-2023
      • (2023)Analyzing the Threats to Blockchain-Based Self-Sovereign Identities by Conducting a Literature SurveyApplied Sciences10.3390/app1401013914:1(139)Online publication date: 22-Dec-2023
      • (2023)Security Aspects of Cryptocurrency Wallets—A Systematic Literature ReviewACM Computing Surveys10.1145/359690656:1(1-31)Online publication date: 28-Aug-2023
      • (2023)NimbleChain: Speeding up Cryptocurrencies in General-purpose Permissionless BlockchainsDistributed Ledger Technologies: Research and Practice10.1145/35738952:1(1-28)Online publication date: 14-Mar-2023
      • (2023)Perceptions of Distributed Ledger Technology Key Management - An Interview Study with Finance Professionals2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10335652(588-605)Online publication date: May-2023
      • (2023)A Systematic Review of User Authentication Security in Electronic Payment SystemProceedings of International Conference on Data Science and Applications10.1007/978-981-19-6631-6_10(121-138)Online publication date: 17-Feb-2023
      • (2023)Forensic Analysis of Android Cryptocurrency Wallet ApplicationsAdvances in Digital Forensics XIX10.1007/978-3-031-42991-0_2(21-36)Online publication date: 19-Oct-2023
      • (2022)Modeling Vulnerability Discovery Process in Major CryptocurrenciesJournal of Multimedia Information System10.33851/JMIS.2022.9.3.1919:3(191-200)Online publication date: 30-Sep-2022
      • Show More Cited By

      View Options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Login options

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media