An Android smartphone, unrelated to heartbleed
An Android smartphone, unrelated to heartbleed

Heartbleed: 50m Android phones may be affected, report shows

Data assessing smartphones in the US revealed that tens of millions of phones are at risk of being harvested

Kashmira Gander
Wednesday 16 April 2014 00:14

Around fifty million Android smartphone users could be exploited by a version of the so-called Heartbleed security glitch, it has been reported.

Devices running Android 4.1.1, a version of its Jelly Bean software released in 2012, are at risk, according to an announcement made by Google.

The number of users that could be affected, calculated by the analytics company Chitika and revealed to the Guardian, is a reasonably significant decrease in previous estimates which suggested hundreds of millions of mobiles could have been affected by Heartbleed.

Phones affected by the security flaw could see their browsers harvested for data including login information.

The firm came to the figure by analysing US network traffic between 7 April and 13 April, and compared it to Comscore data suggesting there are 85 million Android smartphones in the US.

“Android 4.1.1 users generated 19 per cent of total North American Android 4.1 Web traffic, with users of version 4.1.2 generating an 81 per cent share. Web traffic from devices running Android 4.1.0 made up less than 0.1 per cent of the Android 4.1 total observed, so we did not include for the purposes of clarity,” Andrew Waber, a Chitika representative, told the Guardian.

Google has disclosed that “less than 10 per cent” of its activated devices are vulnerable, but did not reveal a specific figure, the newspaper reported.

According to security firm Lookout, which provides software allowing Android users to check if they are vulnerable, 80 per cent of their customers running Android 4.1.1 have been affected, principal security researcher at the San Francisco-based company, told Bloomberg.

However, Rogers told Bloomberg that it appears that hackers have not yet tried to attack Android devices using Heartbleed.

“Given that the server attack affects such a larger number of devices and is so much easier to carry out, we don't expect to see any attacks against devices until after the server attacks have been completely exhausted,” he said.

Since Heartbleed was disclosed as a threat in April, only Android devices have been recognised as vulnerable. Apple does not use the vulnerable version of OpenSSL, which is the gateway for Heartbleed, on the iPhone or iPad, while Microsoft said that neither Windows Phone nor Windows is affected.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in