Android apps that use OpenSSL libraries still vulnerable to the Heartbleed exploit have been downloaded more than 150 million times, FireEye has estimated.
In a blog post, the security vendor said that when it did a scan of more than 54,000 Android apps with more than 100,000 downloads apiece, there were at least 220 million downloads potentially affected by the vulnerability.
App developers have started applying fixes, but the total number of vulnerable downloads was still 150 million by April 17.
Only a small number of Android versions (mainly 4.1.0-4.1.1) use OpenSSL libraries that are vulnerable, FireEye said. But many Android apps use native libraries which directly or indirectly leverage vulnerable OpenSSL libraries.
Most of the vulnerable apps are games, but some are office programs, which carry a much greater potential for data leakage.
While around 17 apps have sprung up on the Google Play store purporting to scan devices for Heartbleed vulnerabilities, FireEye said only six of these check installed apps on the device for vulnerabilities, and only two do a decent check on the apps. Several of the remaining detectors don't perform any real scans and only serve as adware.
Earlier this month, Trend Micro mobile threats analyst Veo Zhang stated that a scan of 390,000 Google Play apps had uncovered 7,000 vulnerable to the Heartbleed bug.