Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Millions of Android App Downloads Are Vulnerable to Heartbleed Bug

Earlier in the month, FireEye scanned more than 54,000 Google Play apps and found that there were at least 220 million downloads affected by the Heartbleed vulnerability
Earlier in the month, FireEye scanned more than 54,000 Google Play apps and found that there were at least 220 million downloads affected by the Heartbleed vulnerability

Earlier in the month, FireEye scanned more than 54,000 Google Play apps (each with more than 100,000 downloads), and found that there were at least 220 million downloads affected by the Heartbleed vulnerability. According to researchers at the firm, the majority of these apps are games, however many are also office-based applications, potentially endangering the enterprise.

In a posting with the Blade Runner-esque title of “If an Android Has a Heart, Does It Bleed?”, FireEye researchers Yulong Zhang, Hui Xue and Tao Wei noted that although the Android platform itself is not vulnerable directly to Heartbleed, individual Android apps frequently use native libraries, which either directly or indirectly leverage vulnerable OpenSSL libraries. Due to the fact that servers can send heartbeats to clients as well, malicious servers can, in turn, attack vulnerable clients and steal sensitive information.

“Attackers can still attack those vulnerable apps,” they said. “They can hijack the network traffic, redirect the app to a malicious server and then send crafted heartbeats messages to the app to steal sensitive memory contents. Although there is not much valuable information in the game apps, attackers can steal OAuth tokens (access tokens and refresh tokens) to hijack the game accounts; as such, the information might be useful for hijacking those linked social network accounts with incorrect configurations. Office apps vulnerable to Heartbleed are much more dangerous due to further potential data leakage.”

There is somewhat decent, if ironic, news in the investigation: Poor coding practices sometimes inadvertently reduce some apps’ overall risk profile.

“During our investigation of the office apps that contain a vulnerable version of OpenSSL, we were surprised that they were not vulnerable to the Heartbleed attack,” the researchers noted. “A deeper look shows that these apps either make a mistake in the native code linkage, or just contain dead code. Therefore, when they try to invoke SSL functions, they directly use the non-vulnerable OpenSSL library contained within the Android OS, instead of using the vulnerable library provided by the app. The linkage mistake is common for Android applications built with native code", FireEye wote in its analysis. 

“We have notified some of the app developers and library vendors about the OpenSSL Heartbleed vulnerability found in their products,” said Zhang, et. al. “Fortunately, it seems most app developers and library vendors take Heartbleed seriously, as we have started to see apps updated with proper fixes. The total number of vulnerable apps download has since decreased to 150 million on April 17.”

FireEye also found that companies have already created about 17 “Heartbleed detectors” for the Google Play marketplace that claim to detect any and all vulnerable apps. The firm cautions against trusting them, however.

“Within the 17 Heartbleed detector apps on Google Play, only six detectors check installed apps on the device for Heartbleed vulnerability,” the researchers said. “Within the six, two report all apps installed as ‘safe’, including those we confirmed as vulnerable. One detector doesn’t show any app scan results and another one doesn’t scan the OpenSSL version correctly. Only two of them did a decent check on Heartbleed vulnerability of apps.”

They added, “We’ve also seen several fake Heartbleed detectors in the 17 apps, which don’t perform real detections nor display detection results to users and only serve as adware.”

What’s Hot on Infosecurity Magazine?