If your device is running on a version of Android that uses an affected version of OpenSSL, your data may be vulnerable.
Fortunately, Lookout found that the affected Android versions only make up a small percentage of the overall Android ecosystem.
2. Heartbleed is a software flaw in the OpenSSL “Heartbeat”
function, which helps keep secure connections alive.
Exploiting the flaw, attackers could pull out 64K of random data
living in the active memory of those targeted systems.
Read
the
blog
What is Heartbleed?
3. What is Reverse Heartbleed?
This is where things get concerning for Android users.
!
Most people are talking about Heartbleed, where a malicious client steals data
from a vulnerable server. But it works in reverse as well. A malicious server could
steal data from a vulnerable client, such as your Android phone.
!
It goes to show how widespread the issue is and why companies should
immediately work to patch their systems and devices.
4. What does this mean for your Android?
If your device is running on a version of Android that uses an
affected version of OpenSSL, your data may be vulnerable.
Fortunately, Lookout found that the affected Android versions only
make up a small percentage of the overall Android ecosystem.
(If you’re wondering about iOS, Apple doesn’t ship its mobile
operating system with OpenSSL, so everything is OK)
5. 4.0
4.3
4.2.2
2.*
4.4
4.2.1
4.1.2
4.1.1
3.*
We predominantly saw vulnerable devices running Android 4.1.1, however, we did
spot some using 4.2.2. Google says that only 4.1.1 is vulnerable to Heartbleed, which
might indicate that there are custom versions of 4.2.2 floating around.
Most Android versions are not vulnerable to Heartbleed.
Android Versions
6. MOTOROLA
ATRIX HD
EVO
HTC ONE X
HTC ONE S
HTC ONE X+
We’ve seen that devices running vulnerable Android versions 4.1.1 and
4.2.2 are mostly the same 10 popular phones and tablets.
Most-Frequently Reported Vulnerable Devices
7. As new phones come out, older ones are cut off from new Android updates.
It’s possible that these phones fall into that category, leaving users unable
update to a newer, safer version of Android. It’s a curse of these phones’ own
success: the hardware has lasted so well that the software can’t measure up.
HTC ONE X
84% of users vulnerable
Not yet patched
HTC ONE X+
100% of users vulnerable
Not yet patched
EVO
84% of users vulnerable
Not yet patched
HTC ONE S
82% of users vulnerable
Not yet patched
HTC DESIRE X
100% of users vulnerable
Not yet patched
MOTOROLA
ATRIX HD
99% of users vulnerable
Not yet patched
PRISM II
100% of users vulnerable
Not yet patched
HUAWEI
ASCEND Y300
100% of users vulnerable
Not yet patched
NEXTBOOK 8
100% of users vulnerable
Not yet patched
ZTE VALET
99% of users vulnerable
Not yet patched
8. Where is Heartbleed?
Just like the Internet reaches people across the globe, so has Heartbleed.
We’ve collected data from Android users in nearly 100 countries and found
that device vulnerability can happen just about anywhere.
10. Of more than 75,000 Android users in the United States, 3.4% were
running OpenSSL versions vulnerable to Heartbleed.
Most of our data comes from users in the U.S.
11. Let’s talk about you.
At this point you’re probably starting to worry about whether your
device is vulnerable. We’ve analyzed more than 100,000 users’
operating systems and found that 96% are not vulnerable.
Lookout built a free detector app that you can download to see if your Android is affected.
Download free from Google Play
12. What can I do if my device is vulnerable?
If your phone is vulnerable, we suggest you update your OS to the latest
version of Android. If you don't have an update available, you
unfortunately have to wait for your manufacturer and carrier to issue an
update to your device. In some cases, they may never release an update.
More questions? Read our FAQ
13. Cool, my device is safe.
What else do I need to know?
Just because your device isn’t vulnerable doesn’t mean all of your apps and
services are secure. Wait until you've heard from a company that its systems
have been patched. Then you're safe to change your password.
More questions? Read our FAQ
14. About this report
This data has been reported to Lookout by more
than 100,000 Heartbleed Detector users.