Patching up Android to make sure it’s not vulnerable to Heartbleed is one thing. Patching all vulnerable Android apps, on the other hand, is quite another. Re/code draws our attention to a new study from research firm FireEye that claims there have been around 150 million downloads of Android apps that are vulnerable to the Heartbleed bug. And to make matters worse, the researchers say that the assorted “Heartbleed detectors” you can now find in the Google Play store will do little to help you root out vulnerable apps you’ve downloaded.
“Android apps frequently use native libraries, which either directly or indirectly leverage vulnerable OpenSSL libraries,” the researchers write. “Therefore, even though the Android platform itself is not vulnerable, attackers can still attack those vulnerable apps. They can hijack the network traffic, redirect the app to a malicious server and then send crafted heartbeats messages to the app to steal sensitive memory contents.”
Thankfully, there’s a silver lining to this: It looks like app developers are moving surprisingly quickly to patch their apps and to keep them safe from the Heartbleed vulnerability. When FireEye ran estimates on Android apps and Heartbleed vulnerabilities on April 10th, they found that apps vulnerable to the bug had been downloaded 220 million times. Just one week later when they ran their estimates on April 17th, that number had dropped to 150 million.