Millions of Android App Downloads May Be Vulnerable To Heartbleed Security Flaw
In a post published last night, which was titled “If an Android Has a Heart, Does It Bleed?”, three researchers from the computer security firm FireEye, Yulong Zhang, Hui Xue and Tao Wei, said:
“For the Android platform, we find that roughly 150M downloads of Android apps contain OpenSSL libraries vulnerable to Heartbleed.”
Earlier this month, FireEye scanned more than 54,000 apps found on the Google Play Store, each of which has more than 100,000 downloads, and found that over 150 million downloads were affected by the Heartbleed bug.
Most of the apps discovered to be vulnerable were games, however many were office-based productivity applications that could possibly endanger businesses.
The Android operating system itself is not directly vulnerable to the Heartbleed bug, with the exception of Android 4.1.1. However, Android apps which either directly or indirectly use a vulnerable version of OpenSSL may cause your device’s information to be compromised. In the post, the security researchers wrote:
“Attackers can still attack those vulnerable apps. They can hijack the network traffic, redirect the app to a malicious server and then send crafted heartbeats messages to the app to steal sensitive memory contents. Although there is not much valuable information in the game apps, attackers can steal OAuth tokens (access tokens and refresh tokens) to hijack the game accounts; as such, the information might be useful for hijacking those linked social network accounts with incorrect configurations.”
FireEye also notes that there are approximately 17 Heartbleed detection apps on the Google Play Store, but most of them don’t do anything useful or display false results.