"As for Reverse Heartbleed, it is not a hacker who attacks a server, but a server that attacks users," said Hong Kong Computer Emergency Response Team's senior consultant Leung Siu-cheong.

Users of Android 4.1.1 who connected to a bad server, website or android application were putting themselves at risk of being hacked, he said.

"A bad server could be disguised as a free Wi-fi hotspot," he added.

Gabriel Leung Shing-koon, general manager of EMC Hong Kong and Macau, said users could get around the Reverse Heartbleed bug by upgrading their operating system.

However, some machines cannot be upgraded beyond Android 4.1.1.

And even if users did upgrade, they would still be vulnerable to the original Heartbleed virus.

He said internet users needed to check their service providers had addressed, or "patched" the Heartbleed bug, or had plans in place to do so.

Heartbleed, he said, was more of a challenge for service providers because users could do very little to protect themselves if they were using a server that had not been patched.

And if the server had not been patched, any information transferred during an encrypted session would be vulnerable to observation and sensitive information could be stolen.

He said after patches were in place, users should change their passwords and other sensitive data. They should also monitor their accounts for unauthorised activity or transactions.

Canadian police last week arrested and charged a 19-year-old man with the theft of 900 taxpayers' data that had been made vulnerable by the Heartbleed bug.