Although security patch for Heartbleed bug is available and many Web sites and services patched successfully requesting the users to change their passwords, Android apps somehow has slipped the purview of scrutiny.
Android apps are very much vulnerable. Updating the security patch for all the vulnerable Android apps is not an easy task.
According to a new study by FireEye, a security research firm, there were nearly 150 million downloads of Android apps that were vulnerable to the Heartbleed bug, as reported by Re/code.
FireEye researchers said the classified Heartbleed finder/detector apps that can be downloaded from Google Play store do not have the capability to uproot the vulnerable apps that have been downloaded.
Even though there were as many as 17 Android security apps that scan for the bugs and vulnerabilities among apps periodically, at least six of such security apps used insufficient techniques to check for this particular Heartbleed vulnerability. Thus, they ignored the bug and assumed it to be a genuine app.
The researchers said, "Android apps frequently use native libraries, which either directly or indirectly leverage vulnerable OpenSSL libraries. Hence, even though the Android platform itself is not vulnerable, attackers can still attack those vulnerable apps. They can hijack the network traffic, redirect the app to a malicious server and then send heartbeat messages to the app to steal sensitive memory contents."
Apps Affected the Most
Most of the apps affected by Heartbleed bug were Gaming apps. Although gaming apps did not store useful or sensitive data, many of such apps used authorization credentials linked to Facebook, Twitter or any other social networking sites' accounts.
Letting the hacker to hijack a gaming app account provided access to valuable or sensitive data from social networking accounts.
The only consolation was that the prompt app developers were doing all that they can to patch their apps to avoid being vulnerable to the deadly and widespread Heartbleed bug.
As April 10, there were about a whopping 220 million downloads of apps vulnerable to the bug. But when the same test was run after a week on April 17, the number of such downloads reduced to 150 million.