Although Google had patched its most popular services to address the Heartbleed bug last week, there’s still a huge chunk of Android smartphones left vulnerable to the security flaw.
On its official blog, the search engine giant said that all versions of Android are immune to the bug — except for one, which happens to be among the most widely used iterations of the software.
First spotted by Bloomberg, Google’s blog post says that Android 4.1.1 Jelly Bean is susceptible to Heartbleed, a bug that can trick a server into spilling out data from its memory. According to the most recent statistics from Google, Android 4.1 accounts for 34.4 per cent of handsets powered by Android.
Of these devices, however, it’s unclear exactly how many are running on the sub-version 4.1.1. Google’s statistics only specify the market share percentage for Android 4.1 Jelly Bean, but there are a few newer versions of that software including version 4.1.1, which is said to be vulnerable to the bug, and version 4.1.2.
Security researchers have reportedly told Bloomberg that Android 4.1.1 is still used in millions of smartphones and tablets, including some made by Samsung and HTC. Google spokesperson Christopher Katsaros also confirmed to Bloomberg that there are millions of devices running on the affected software.
Since version 4.1.1 Jelly Bean debuted in 2012, its likely to be found on older Android smartphones that are updated less frequently than the newer flagships.
The process of updated Android smartphones can sometimes take a long time because the update must first be approved by specific device manufacturers (i.e. Samsung, LG, etc.) before rolling out to the carriers (Verizon, Sprint, etc.). It then must be approved by the carriers before it reaches your smartphone.
Google’s own devices (i.e. the Nexus 5 and Nexus 10 tablet), or any handsets running on pure Android such as Samsung and HTC’s Google Play edition smartphones, are usually the first priority when it comes to receiving software updates.
To check which version of Android your device is running, head over to the Settings Menu and navigate to the About Phone option. This will tell you what version of Android is currently running, and you can usually check for software updates from here as well.
Verizon has told Bloomberg that it is “working with device manufacturers to test and deploy patches to any affected device on our network running Android 4.1.1.”
The Heartbleed bug was discovered earlier this month by Google Security’s Neel Mehta and a team of engineers at Finnish security firm Codenomicon. The flaw affects a version of OpenSSL, an encryption standard used by a huge chunk of the Internet, and it can trick a server into copying information from its memory without realising it. The vulnerability is so difficult to detect because it strikes at such an early stage in communication between servers, Codenomicon told Business Insider.