17 April 2014

An older version of the Android operating system (v 4.1.1) which runs on a variety of mobile handsets and devices is vulnerable to the Heartbleed bug. Some Android apps are also vulnerable.

Android version 4.1.1

Google has confirmed Android version 4.1.1 is affected by Heartbleed. It released a fix for this some days ago, but you should be aware it may take time for the update to filter through the handset manufacturers and providers that support your particular device.

All other Android versions are not affected.

You should check your version of Android and ensure you are using the latest version available for your handset. Be aware that you may be using a device with an operating system version that is vulnerable.

Android v4.1.1 is more than a year old, and many devices around this age are likely still running it.

With so many different devices in the Android ecosystem, some may not receive this update for a long time, and some potentially not at all.

As yet no reports of a mobile device being attacked via the Heardbleed bug have been noted, but there are millions of devices potentially at risk.

Updates for Android devices are generally pushed out in stages depending on your handset and service provider. You will usually receive a notification advising if an update is available, but this is not always the case. You can check for updates manually by looking in your Settings for ‘Software Update’ or similar. Apply them if they are available.

You can also check your current version of Android in your Settings.

An app called Heartbleed Security Scanner, has recently been published by mobile security vendor Lookout Mobile Security enabling you to check to see if your version of Android is affected by Heartbleed. This does not check the apps that you run on your device, just the operating system.

Mobile security or mobile antivirus apps do not address Heartbleed.

Many researchers have suggested that if you do have a vulnerable device, you should not use it for activities involving sensitive or personal information.

Apps affected

In addition to the affected version of Android, a number of apps on Android have also been identified as affected. Trend Micro reports its latest scan of apps listed in the Google Play store found 273 that were affected.

In addition, many other apps also include functions that connect them with servers that may be affected by Heartbleed. Personal information, such as you might provide to an app for an in-app purchase or shopping, can be stored on these servers, and if the server is affected, this information may be vulnerable.

The server owners and app developers should be addressing these issues. Until then, researchers have suggested that Android users avoid uploading sensitive or financial information via apps.

Whether it is your phone or your computer, ensuring your system and apps are up to date is one of the best things you can do to stay safe online.

More information

See Google’s post about its updates for affected services, including Android.

McAfee provides a good explanation of the Heartbleed vulnerability.

News website Ars Technica provides a useful discussion of the issues affecting Android devices.

The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.

Feedback

Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.

Disclaimer

This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.

This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.

The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.

Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.

Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.

CONTACT US

Facebook: www.facebook.com/staysmartonline
Email: staysmartonline [at] communications.gov.au
Web: www.staysmartonline.gov.au
You are receiving this message at the address [Email].
Update your profile preferences
If you no longer wish to receive this information, you can unsubscribe.

© 2013 Australian Government. All rights reserved

Connect with Stay Smart Online
  • Facebook.
  • youtube
  • RSS feed