Today we're releasing version 2.4.2 of Copay for Android. This security release disables the automatic app backup feature which is enabled by default in Android 6 phones.
If you are using Copay in an Android 6 phone and have automatic App Backup enabled, your wallet's keys have been backed up automatically and uploaded to Google servers. While Google encrypts all app backups, your keys are still off your device and in the cloud. This change goes against our security policy and puts user private keys at risk, so we strongly encourage you to move your funds to a new Copay wallet.
To do this, just download the updated Copay app (version 2.4.2 or above), create a new wallet in the app, and transfer funds away from any old wallets to the new wallet you have created after updating. Do NOT delete your Copay app at any point, since this may delete any wallets that have not been backed up. Remember that Copay is a true bitcoin wallet, so you have full control of the funds and the responsibility to make your own backup (rather than backing up to the cloud).
We want to thank our GitHub user community for helping us to enhance Copay's usability and security. Special thanks go to GitHub user @Kirvx for being the first to report this issue. If you want to report an issue or share feedback yourself, create an issue report on our GitHub page and our team will respond directly.