ANDROID – Heartbleed makes 50m Android phones vulnerable, data shows
Devices running Android 4.1.1 could be exploited by ‘reverse Heartbleed’ to yield user data – including 4m in US alone
At least 4m Android smartphones in the US, and tens of millions worldwide, could be exploited by a version of the “Heartbleed” security flaw, data provided to the Guardian shows.
Worldwide, the figure could be 50m devices, based on Google’s own announcement that any device running a specific variant of its “Jelly Bean” software – Android 4.1.1, released in July 2012 – is vulnerable.
The figure, calculated using data provided exclusively by the analytics firm Chitika, is the first time an accurate estimate has been put on the number of vulnerable devices. Other estimates have suggested it is hundreds of millions, based on the number of devices running versions of Android 4.1. But most of those run 4.1.2, which is not at risk.
Google has not disclosed how many devices are vulnerable, although it has indicated that the figure is “less than 10%” of devices activated worldwide.
But that could be a huge number, given that Google has activated 900m Android devices worldwide. There are also hundreds of millions of handsets in China running Android without Google services, which would not show up on its systems, and which are also likely to be running vulnerable versions.
The figure on the number of vulnerable devices comes from an analysis for the Guardian by the ad network Chitika of US network traffic. Looking at web traffic for the seven-day period between 7 April and 13 April, “Android 4.1.1 users generated 19% of total North American Android 4.1 Web traffic, with users of version 4.1.2 generating an 81% share. Web traffic from devices running Android 4.1.0 made up less than 0.1% of the Android 4.1 total observed, so we did not include for the purposes of clarity,” said Andrew Waber, a Chitika representative.
Based on Comscore data which suggests there are 85m Android smartphones in use in the US, that means that there are at least 4m handsets which are vulnerable.