Binance, the world’s largest Bitcoin exchange, discovered a vulnerability in the exchange’s mobile app. Android users were losing Bitcoin without their own access due to this vulnerability. The intervention from the Binance front was quick.
Lukas Stefanko, who has been working as a malware researcher and analyst at ESET, which has been producing digital security solutions since 1992, shared a preview of the Binance vulnerability in his Twitter account today. Stefanko, who also detailed the solution method in the rest of his tweet, also gave advice about security to his followers.
Demo of Binance wallet theft using Accessibility services
Android PoC malware misuses accessibility to take control over device to withdraw Bitcoins without any user interaction.
Binance swiftly fixed the issue.
Research & video by @yonas_leguesse
Paper: https://t.co/AcbtZjKaV2 pic.twitter.com/88PvCyMyXZ
— Lukas Stefanko (@LukasStefanko) October 14, 2020
Dr. Stefanko advised her readers not to download apps from anywhere other than the Google Play store, and the permissions granted to downloaded apps should also be checked. Another advice given by the researcher is that an up-to-date antivirus program should be available on Android devices.
Users and developers must act together
While it is possible to sense the anxiety of the users in the comments to the tweet showing the Binance vulnerability, users and application developers should focus on solving such problems together. A Twitter user commenting on the subject says:
Once you allow access, you can already do anything, why does this only have to do with Binance? Even if verification is requested in the future, can’t you even get over it with malware?
While another user named @yonas_leguesse answered the question, it is understood that the user was actually the person who created the preview video in Stefanko’s tweet. According to @ yonas_leguesse, the situation is purely for attention:
Against these kinds of security problems, users should avoid using unreliable software and application developers should establish a more resistant protection system against such vulnerabilities.
Binance, on the other hand, has taken a quick action to resolve the situation, and has not made a relevant statement yet.