Warning: Heartbleed bug is back and it's in reverse

More 'Heartbleed' is on the way for users of Android 4.1.1, IT experts warn, as latest variant of computer virus uses servers to attack users

PUBLISHED : Monday, 21 April, 2014, 4:10am
UPDATED : Monday, 21 April, 2014, 6:06am

Users of Android phones running a particular version of the Jelly Bean operating system should take extra care with free Wi-Fi hotspots and unfamiliar websites as they are vulnerable to a new variant of the "Heartbleed" bug, IT experts warn.

The Android 4.1.1 system is susceptible to the "Reverse Heartbleed" virus - a variation of the bug that has alarmed authorities worldwide and last week helped hackers to steal social insurance numbers from the Canada Revenue Agency.

With the original Heartbleed, hackers use a flaw in the encryption tool Open SSL to attack computer servers and gain access to users' communication records, login usernames and passwords.

"As for Reverse Heartbleed, it is not a hacker who attacks a server, but a server that attacks users," said Hong Kong Computer Emergency Response Team's senior consultant Leung Siu-cheong.

Users of Android 4.1.1 who connected to a bad server, website or android application were putting themselves at risk of being hacked, he said.

"A bad server could be disguised as a free Wi-fi hotspot," he added.

Gabriel Leung Shing-koon, general manager of EMC Hong Kong and Macau, said users could get around the Reverse Heartbleed bug by upgrading their operating system.

However, some machines cannot be upgraded beyond Android 4.1.1.

And even if users did upgrade, they would still be vulnerable to the original Heartbleed virus.

He said internet users needed to check their service providers had addressed, or "patched" the Heartbleed bug, or had plans in place to do so.

Heartbleed, he said, was more of a challenge for service providers because users could do very little to protect themselves if they were using a server that had not been patched.

And if the server had not been patched, any information transferred during an encrypted session would be vulnerable to observation and sensitive information could be stolen.

He said after patches were in place, users should change their passwords and other sensitive data. They should also monitor their accounts for unauthorised activity or transactions.

Canadian police last week arrested and charged a 19-year-old man with the theft of 900 taxpayers' data that had been made vulnerable by the Heartbleed bug.

To check if your phone uses Android 4.1.1, go to "Settings" and "About phone". Some websites provide tools to check for vulnerability to Heartbleed. Enter the website address or host name of the e-mail server and the tool will indicate if it is vulnerable. A list can be found at