The problem lies with the Android implementation of the Java SecureRandom class which, according to Google software developer Mike Hearn who also works on the Bitcoin virtual currency system, makes all private keys generated on Android devices weak and easily worked out by attackers.
As each Bitcoin transaction must be signed with the private key associated with the Bitcoin address of the person that intends to transfer money, it's easy to see how knowing someone's cryptographic private key might allow a malicious individuals to empty that person's wallet.
And when it comes to Bitcoin, no validly signed transaction can be reversed - meaning that the money transferred this way is lost to the original owner forever.
According to The Bitcoin Foundation, all Android Bitcoin apps were affected, but Bitcoin Wallet, Mycelium Wallet and blockchain.info have already been updated to remove the flaw.
"In order to re-secure existing wallets, key rotation is necessary. This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself," the Foundation noted.
"If you use an Android wallet then we strongly recommend you to upgrade to the latest version available in the Play Store as soon as one becomes available. Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one. If you use Bitcoin Wallet by Andreas Schildbach, key rotation will occur automatically soon after you upgrade. The old addresses will be marked as insecure in your address book. You will need to make a fresh backup."
This should be done as soon as possible, as there are reports that attacks taking advantage of this flaw might already be happening.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.