Hi guys,
Thank you for all replies here is some information and what I concluded
I asked him to check email history and he forwarded all emails sent to mycelium support .
First he was using cold storage to send his bitcoin and he bought a new phone and it is unrooted installed just mycelium and a few apps from the play store and he stored the private key in the lastpass application.
For the other two transactions sent to that address, yes my friend sent them. He just sent low amount to see ( I don't know what he was thinking he was doing ) .
These transaction are done by my friend :
https://www.blockchain.com/btc/tx/b69ac4b06ce76e3144271e7017ad37aec8916bdc7cf77ac17541e075290a1120https://www.blockchain.com/btc/tx/eac69ba4bc143a58908e68e3a2b8dc25704c9332923cb8a56b1eeeb33968a887As I said I don't know what he was thinking about
To correct some information:
He didn't touch the phone the day before when he found his wallet had vanished. So it is clear that someone uses his private key. the moment when the coins moved his phone was OFF.
He did something good by copying the transaction information :
Summary
Size 2736 (bytes)
Received Time 2016-12-13 04:36:43
Included In Blocks 443230 ( 2016-12-13 04:36:53 + 0 minutes )
Confirmations 234 Confirmations
Relayed by IP 138.68.64.155 (whois)
Visualize View Tree Chart
Inputs and Outputs
Total Input $ 38,620.06
Total Output $ 38,618.27
Fees $ 1.79
Estimated BTC Transacted $ 38,618.27
Scripts Hide scripts & coinbase
I noticed that this IP 138.68.64.155 belonged to the digital ocean company and the location was Germany. The coincidence is that mycelium use also used Digital ocean back to that time and also the location was Germany ! Is it a coincidence?
I have read a lot of stories about stolen coins through mycelium and I feel that there was a backdoor on their app and when this affects some members and not all members then I suspect that mycelium team is behind this theft and they are also anonyme!