Google said that devices running Android 4.1.1 Jelly Bean are vulnerable to the Heartbleed bug.
While most devices are running newer software, analytics firm Chikita reports as many as 50 million devices still use Jelly Bean, which was released in 2012.
Phones affected by the security flaw could have their browsers harvested for data which may expose information about past sessions and log-in credentials.
Google has provided a security patch to handset makers and wireless carriers, that they can deliver to users.
Android apps have not been spared from the Heartbleed bug either. Researchers Yulong Zhang, Hui Xue and Tao Wei from internet security firm. FireEye say that at least 220 million downloads were affected by the Heartbleed vulnerability as of April 10. Most of the vulnerable apps are games and some are office-based applications.
The researchers said that they had notified some of the affected developers and vendors, who have since implemented patches and fixes. As of April 17, the total number of vulnerable apps download has since decreased to 150 million.
Android users should check if there are any updates to their apps and ensure that they have the latest security patches from their phone manufacturers. A list compiled by Digital Trends highlighted a number of popular phone models from HTC, Motorola, Samsung and Sony that are at risk. Users of affected devices are advised to avoid surfing the web, e-mailing, using online banking services or "doing anything serious on the device" until a fix is issued.
With additional reporting by AsiaOne.
This article was published on April 23 in Digital Life, The Straits Times.
Get a copy of Digital Life, The Straits Times or go to straitstimes.com for more stories.