It turns out that the only Android operating system Google admits to having been compromised by the notorious Heartbleed bug runs millions of smartphones and tablets.
When news of the Heartbleed vulnerability broke two weeks ago, Google, Inc. said in a blog post on April 9 that all versions of Android except one was immune to the bug. Google identified this "limited exception" as one version called 4.1.1 released in 2012.
Security analysts, however, have discovered that Android Jelly Bean version 4.1.1 is being used in millions of smartphones and tablets, including popular models made by Samsung Electronics Company, HTC Corporation and other manufacturers.
Google data shows that 34 percent of Android devices use variations of the 4.1 software. On the other hand, Google said less than 10 percent of active devices are vulnerable to Heartbleed. Over 900 million Android devices are active worldwide.
Google spokesman Christopher Katsaros confirmed there are millions of Android 4.1.1 devices. He pointed to an earlier statement by the company in which Google said it has assessed the SSL vulnerability and applied patches to key Google services.
Experts said there is no easy solution for Android gadgets with the Heartbleed bug. Google has provided a security patch but has said it's up to handset makers and wireless carriers to update the devices.
Over 80 percent of people running Android 4.1.1 that shared their data with mobile security firm Lookout Inc. are affected by Heartbleed, said Marc Rogers, principal security researcher at Lookout. Users in Germany are nearly five times as likely as those in the U.S. to be affected by the bug.
The Heartbleed bug or vulnerability takes advantage of a problem in certain versions of OpenSSL, which is a set of encryption tools used for securing Web connections. It could allow a hacker or cyber-criminal to access critical data such as user authentication credentials and secret keys.