While Google was quick to patch its services to close the security hole caused by the Heartbleed bug in OpenSSL, the same bug may still be hounding millions of Android devices worldwide.
Google patched most of its services last week (including Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine). Recently, the search company also updated the list of patched services to include Google AdWords, DoubleClick, Maps, Maps Engine, Earth, Analytics, and Tag Manager — all of which the company claims to have been patched last week but were “inadvertently left out” of the original list.
In the same announcement Google also declared all Android versions to be immune to the Heartbleed bug — except, in limited ways, Android 4.1.1 Jelly Bean.
No one knows exactly how many devices are running Android 4.1.1 Jelly Bean, although, as of April 1, Google’s own statistics say that the Android 4.1.x series (including 4.1.1 and 4.1.2) runs on 34.4% of Android devices. This slice of the platform versions pie is currently the biggest one, with Android 4.2.x Jelly Bean coming in second at only 18.1%, followed by — surprise! — Android 2.3.3 to 2.3.7 Gingerbread at 17.8%.
There have been more than 1 billion Android activations since September last year, which potentially means that less than 344 million phones (34.4%) could be running the compromised Android version. Even if only 1% of that group is using Android 4.1.1 (while the rest is on Android 4.1.2, which is safe), the number would still be in the millions — about 3.44 million, in fact. That’s no small number.
Google, however, has distributed patching information for Android 4.1.1 to its Android partners. It’s now up to these partners to update their respective devices. Yet, phone manufacturers and mobile carriers have often caused software update bottlenecks because of the approval procedures that they use.
To determine what Android version is running on your Android device, go to Settings > About Phone/Tablet/Device and check the Android version. If it’s Android 4.1.1, you might want to check for updates and install them.
Another way to check for Heartbleed on your device is by running Lookout’s Heartbleed Detector app.