This kind of attack is what keeps me up at night but this specific attack doesn't affect anything but copay users with more than 100BTC.
As Android lead developer of Mycelium I am very well aware of the dependency problem but quite frankly unless we get 10000 devs to monitor all our dependencies all the time, there is no way to make it 100% secure.
Modularization was what I joined for 3 years ago. I'm still a big believer in the approach but we are now taking a different one. With modularization, the idea is to have one app that handles private keys and transaction signing for bitcoin for example. This app would have very limited dependencies and very little code itself. Another app would provide fancy UI and all the nice stuff that needs tons of dependencies and own code.
I keep an old phone and have not updated my Mycelium for about 2 years(on purpose). I also only bring my Coins out of cold storage when I am ready to make a payment and then go back to my unfunded wallet after that. Am I safe from this exploit?
The safest way to store your bitcoins is on a dedicated PC that only has the absolute bare necessities needed to run the Bitcoin core wallet and encryption software. These 3rd party apps and hardware wallets are fads that will die out.
It's massive but I think by making it public, the only defense there is, is destroyed. Devs should have quietly analyzed if the master seed is shared with the hacker or account seeds for example. If only account seeds, they could have updated without touching the hack but adding another hack that wakes up all wallets at a certain time (block height for example) and send all funds to a new account that the hacker doesn't have.
The hacker is watching the balance under his control and has a transaction emptying all these wallets ready to be broadcast. Should "his" balance fall, then either a script or he manually will send all funds to wallets out of the users' control. Only defense is to make that balance fall to zero in one block. You could probably even get these transactions to a miner without the hacker seeing the accounts getting emptied before the block is actually mined.
I wouldn't say any project... but yes lot of projects and apps use third party packages without auditing them.
Here's a great post from a awhile ago about how prevelant the issue is, and how easy the attack can be [https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5](https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5)
It's very important that users of crypto currency take security very seriously. This has been talked about since the early days, and I'm sure is mentioned in some of the earliests posts about bitcoin, both from satoshi and other.
Yes, BitPay missed a turn along the way, when they got bribed by Jihan but before that, they were really one of the most prestigious players in Bitcoin and this now can't be blamed on them neither.