You might have changed all your passwords in the days since you learned of the Heartbleed bug, but if you're one of millions of people using certain Android devices, you might still be vulnerable.
Numerous devices running older versions of Google’s Android operating system may be at risk of the high-profile bug, according to Marc Rogers, a security expert at the mobile security firm Lookout.
Rogers told The Huffington Post that people using Android version 4.1.1 should avoid sensitive transactions on their mobile devices because a hacker could exploit the Heartbleed bug to steal their data.
“The whole device is vulnerable, so you should be cautious about the kind of sites you use,” Rogers said in an interview. “I’d be cautious about doing banking on your phone.”
Last week, researchers revealed that a flaw in a popular method of securing online transactions allows hackers to steal passwords, credit card data or even Social Security numbers from two-thirds of websites. Experts have since warned the bug also affects home routers and other Internet-connected devices because many companies use the flawed OpenSSL software to secure their products.
There is no evidence yet that hackers have exploited the flaw to steal data from smartphones. But Rogers said a hacker could take advantage of the Heartbleed bug if people open a malicious website on a vulnerable phone while doing online banking on that device. A hacker could jump from the malicious website to the banking website to steal sensitive data like passwords, he said. Rogers added that such an attack was complex and the likelihood of it happening was relatively low.
But as many as 50 million Android devices worldwide may be vulnerable to the Heartbleed bug, according to the Guardian. A Google spokesperson said less than 10 percent of devices run on the vulnerable Android operating system. About 1.1 billion devices are expected to run on the Android operating system this year, according to Gartner, a research firm.
Lookout has released a free app that lets Android users see if they are running a vulnerable version of the software on their phone.
Last week Google published a blog post that said the company had issued a patch to fix the Heartbleed bug in Android 4.1.1. But smartphone manufacturers and wireless carriers must also update the devices, and that takes time, Rogers said.
Rogers recommended that people using the old Android software update their operating system. If there are no updates available, they should contact their smartphone’s manufacturer to see if that device is now safe to use, he said.
The Heartbleed bug affects smartphones in other ways. Over the weekend, BlackBerry said it would update its messaging software after finding the service was vulnerable to the Heartbleed bug on Google's Android software and Apple's mobile operating system.
Rogers said the types of devices affected by the bug will grow in the coming weeks because the flawed encryption software was widely used. He said Internet-connected appliances and electronics like smart TVs may also be affected.
“I suspect we're going to be finding these things for some time to come,” Rogers said.