Google has admitted that some Android phones may be vulnerable to the Heartbleed bug currently undermining the fabric of the encrypted web.
The search giant had already said that many of its services could be compromised by the flaw in OpenSSL, discovered last week by three researchers (including one of its own engineers).
But it has now added that anyone running Android 4.1.1 on their mobile device could be affected too.
In a recent blog post outlining its vulnerable services and its attempts to patch them, Google said that all version of Android are safe from the bug -- except one.
It is now known how many people are running 4.1.1 specifically, but Google's own figures suggest 34.4% are running a version 'in between' 4.1 and 4.1.2. It's probably not that high a number -- most users will have installed a security patch released 90 days after 4.1.1 -- but it's worth checking.
Compounding the problem, many Android users are dependent on phone manufacturers to update their OS, not Google, meaning its swift patching work might not be quick enough for many.
If you want to check if your phone is affected, go to settings and 'About Phone' to see exactly which version you're running. If it's 4.1.1, try to update your phone to the latest version in the usual way.
Meanwhile we're keeping a running tally of the affected servers and their current status here - check to find out which of your passwords you should change.