Even though Google does not have a Heartbleed problem, particularly since the company has known about the OpenSSL bug a month before everyone else, a large number of Android users may still be at risk, The Guardian reports. And that’s not because Google has not patched the security flaw, but rather because Heartbleed indirectly benefits from several factors.
For starters, Heartbleed only affects one version of Android and that’s the “old” Android 4.1.1. However, that also happens to be a very popular Android version running on Android phones, with as many as 50 million users running it on their current devices. The number comes from analytics firm Chitika, although Google is only saying that “less than 10%” of Android devices activated worldwide are actually at risk. According to Google’s recent Android distribution numbers, Jelly Bean runs on 34.4% of Android devices that communicate with the Google Play Store, but that number includes Jelly Bean versions from Android 4.1 to Android 4.3.
Affected devices are apparently “vulnerable to a hack described as ‘reverse Heartbleed’ — where a malicious server would be able to exploit the flaw in OpenSSL to grab data from the phone’s browser, which could include information about part sessions and logins,” according to The Guardian.
Even though Google has patched the OpenSSL issue and pushed a fix to OEMs and carriers, these two parties aren’t known for delivering fast Android updates of any kind. Therefore users will get the fix much later.
Security firm Lookout has developed an Android app that lets people check whether their Android device is vulnerable. The company tells The Guardian that more than 80% of people running Android 4.1.1 who have shared data with Lookout so far have been exposed to attacks.
The good news for Android 4.1.1 device owners is that it doesn’t look like hackers are trying to take advantage of the security issue at the moment. Furthermore, Lookout’s principal security researcher Marc Rogers told Bloomberg that a Heartbleed-based attack against Android would be a complex task.
“Given that the server attack affects such a larger number of devices and is so much easier to carry out, we don’t expect to see any attacks against devices until after the server attacks have been completely exhausted,” he said.