Author

Topic: android malware? (I get different invalid certificates when browsing bitcoin ... (Read 1946 times)

legendary
Activity: 980
Merit: 1004
Firstbits: Compromised. Thanks, Android!
For the record...

I'd noticed I've been having some issues like this with my Android smartphone as well. I emailed the owner of StrongCoin about it, and he acknowledged that he is hosting (on a cloud server) with the company named on the mismatched certificate I saw. Apparently they use a newer SSL protocol which tries to handle non-fixed IP addresses but can be quirky with some browsers. I can see how smartphone browsers would be the ones that don't quite mesh well with it.

I tried Firefox for Android and had no issues.
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
ff said the certificate was issued by "StartCom" (like the stock browser and dolphin) but without a warning.

opera does not allow to get any details about the https certificate
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
I would say it is some kind of DNS poisoning. My A/B-test with dolphin was more of an A/A-test as my brother told me so I tried firefox as well and there I get no certificate warning. On the other hand in ff for android there is no way to see the certificate details neither so I'm a bit nervous. Installing Opera atm.
hero member
Activity: 630
Merit: 500
Hum... from two different Internet connections it is hard to believe a router is malicious... it would need to be some sort of backbone router shared both by your home wifi and your 3g.

On the other hand, why would a malware bother about faking a certificate? It is running locally, it could modify your browser itself and make it believe it's sending data to the correct server while it is not. Unless the fact that by default Android apps do not have root privilege prevents malwares from doing things like that.

Summarizing, I don't have a clue about what's going on.
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
with the dolphin browser I get the same certificate warning.
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
actually the problem first occurred when i tried to show bitcoin to a friend on tuesday (3g)
and persists today here at home (plane mode with wifi).

I "$ adb shell"ed into my phone and checked the ip via ping but this looked fine. Next I try an alternative browser.
hero member
Activity: 630
Merit: 500
You're on 3G or wifi? Does the problem remain if you switch the way you connect to the Internet?

It's true that any router may be trying to trick you, but it is unlikely that a professional ISP is doing it.
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
I was able to send my coins out of the schildbach client to my desktop and will further investigate. well ... my brother will. said something about root certificate voodoo on some router something.
hero member
Activity: 630
Merit: 500
Interesting...

From my phone I see the same certificate that from my desktop. If you're not using any proxy to connect your phone to instawallet, then it's probably malware.
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
this is getting interesting. the forum has the same problem. non-trusted issuer StartCom something. So a malware in the wild?
How do i debug this?
I have the Schildbach client on my phone and i'm somehow concerned now.

Somehow I don't think that the google market was the vector here. If the Schildbach wallet was compromised there would be no need to mess around with certificates. I am very paranoid about trusting bitcoin apps (see this forum).
I recently installed 40 apps around flash cards, so yes, I do have many apps but as soon as it is about bitcoin I don't touch it.
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
On my desktop I get this fingerprint:
87 88 81 6A D8 5B 78 99 DD D5 BC 73 24 00 93 68 C3 20 DE B7 B2 8B 34 1C AA 56 7E 9D 96 48 D5 B2

On my phone I don't know how to get hands on the fingerprint but here are more details:
Assigned to (*):
Common name: StartCom Certification Authority

Assigned by:
Common name: StartCom Certification Authority

Valid: 2006-09-17 to 1936-09-17 (yes, 1936)


On Desktop I assume I see the same like you:
Assigned to (*):
www.instawallet.org
Persona Not Validated
StartCom Free Certificate Member

Assigned by:
StartCom Class 1 Primary Intermediate Server CA
StartCom Ltd.
Secure Digital Certificate Signing

Valid: 2011-04-26 to 2012-04-26
hero member
Activity: 482
Merit: 502
Correct certificate for me. StartCom, same date...
Check your phone and network. Try another device on same network or same device on different network. Have you installed some bitcoin related SW from market?
hero member
Activity: 630
Merit: 500
Were you using Orbot?

Also, is the CA the same? I see a StartCom certificate that expires on 25/04/2012.
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
Hi,

when I try to visit instawallet.org via my android phone I get a certificate warning and the certificate I get presented dates to 2006-09-17 while the one I see when I go there with my desktop browser dates to something this year.

Strangely searching for instawallet here on the forum returned zero results!?!?

Any ideas anybody?
Jump to: