As many as fifty-million devices running the Jelly Bean version 4.1.1 software for Android may be at risk due to the the Heartbleed bug (CVE-2014-0160) affecting some versions of OpenSSL, about 10% of all Android devices worldwide.
The at-risk devices can be targeted with a “Reverse Heartbleed attack” in which attackers could pilfer sensitive information from a device’s browser if connected with a malicious server.
“We have also already pushed a fix to manufacturers and operators.” But it’s unclear how quickly those will be implemented, if ever,” Google noted.
Thus far, no attacks that seek to exploit the vulnerability have been documented, and the likelihood of a successful attack campaign at this point is relatively low compared to the chance of vulnerable servers being targeted in the wake of Heartbleed.
“Given that the server attack affects such a larger number of devices and is so much easier to carry out, we don’t expect to see any attacks against devices until after the server attacks have been completely exhausted,” said Lookout’s Marc Rogers.
Jellybean version 4.1.1 was originally released in July of 2012 in order to patch a flaw affecting Nexus 7 tablets, and was replaced with version, 4.1.2 in October 2012, thus limiting the number of exposed devices.
If you are curious to know if your Android device is running the vulnerable version of Jellybean, Graham Cluley has provided some guidance on checking your device, ans strongly suggests that you seek an update if your device is running version 4.1.1:
- Enter System settings
- Scroll the screen down to About
- Look for your Android version number
The problem is, though, that an upgrade may not be available, according to Cluley.
“Even if you *want* to upgrade the OS on your Android devices you might not be able to, because an Android update is only going to be available for those devices with the assistance and goodwill of the manufacturer and mobile phone carrier,” Cluley said.
“It’s pretty shameful if manufacturers and mobile phone carriers fail to push out updates for Android 4.1.1, as the operating system was only released back in July 2012.”