Android Users Downloaded 220m Apps Containing Heartbleed Bug

At least 220 million apps containing flawed Heartbleed code were sitting on Android phones this month, according to security researchers.

A scan of 54,000 Google Play apps on 10 April revealed the number of downloaded apps using flawed OpenSSL code stood at 220 million, FireEye said in a blog post. By 17 April, that had reduced to 150 million, as developers issued fixes.

A number of app developers and library vendors have been warned about the problems in their apps, but FireEye would not say which applications were affected.

Millions of apps still contain Heartbleed

“Fortunately, it seems most app developers and library vendors take Heartbleed seriously, as we have started to see apps updated with proper fixes,” said researchers Yulong Zhang, Hui Xue and Tao Wei.

Whilst only one version of the Android platform, 4.1.1, was vulnerable to a certain kind of Heartbleed attack, a vast number of apps sitting on devices also used flawed code that could have leaked sensitive data.

The vulnerability can be exploited by sending servers specially-crafted commands, known as “heartbeats”, which are used to check supposedly protected connections are still alive.

Malicious servers, which can send heartbeats to smartphones and other clients, could be used to attack vulnerable devices. The attacks on phones remain theoretical, unlike attacks on vulnerable web servers.

The FireEye researchers also discovered only six of 17 Heartbleed detectors available on Google Play checked apps on the device.

“Within the six, two report all apps installed as ‘Safe’, including those we confirmed as vulnerable. One detector doesn’t show any app scan results and another one doesn’t scan the OpenSSL version correctly. Only two of them did a decent check on Heartbleed vulnerability of apps,” they added.

“We’ve also seen several fake Heartbleed detectors in the 17 apps, which don’t perform real detections nor display detection results to users and only serve as adware.”

In a bid to offer an alternative to OpenSSL, the creators of the OpenBSD operating system has produced LibreSSL. The fork of OpenSSL has stripped away much of the code that had been built in to the widely-used encryption standard, in a bid to make it slicker and more secure.

The first inclusion of this new version of the SSL protocol in an operating system will come in OpenBSD 5.6, according to a message on the LibreSSL website.

Love IT security? Try our quiz!