San Francisco: Millions of smartphones and tablets running Google's Android operating system have the Heartbleed software bug, in a sign of how broadly the flaw extends beyond the Internet and into consumer devices.
While Google said in a blog post on April 9 that all versions of Android are immune to the flaw, it added that the "limited exception" was one version dubbed 4.1.1, which was released in 2012.
Security researchers said that version of Android is still used in millions of smartphones and tablets, including popular models made by Samsung Electronics, HTC and other manufacturers. Google statistics show that 34 per cent of Android devices use variations of the 4.1 software. The company said less than 10 per cent of active devices are vulnerable. More than 900 million Android devices have been activated worldwide.
The Heartbleed vulnerability was made public earlier this week and can expose people to hacking of their passwords and other sensitive information. While a fix was simultaneously made available and quickly implemented by the majority of Internet properties that were vulnerable to the bug, there is no easy solution for Android gadgets that carry the flaw, security experts said. Even though Google has provided a patch, the company said it is up to handset makers and wireless carriers to update the devices.
"One of the major issues with Android is the update cycle is really long," said Michael Shaulov, chief executive officer and co-founder of Lacoon Security, a cyber-security company focused on advanced mobile threats. "The device manufacturers and the carriers need to do something with the patch, and that's usually a really long process."
Christopher Katsaros, a spokesman for Mountain View, California-based Google, confirmed there are millions of Android 4.1.1 devices. He pointed to an earlier statement by the company, in which it said it has "assessed the SSL vulnerability and applied patches to key Google services."
Microsoft said on Friday that the Windows and Windows Phone operating systems and most services aren't impacted.