warns that “the implications are pretty dire”, in a new report on “very dangerous” apps found on Google’s Play Store. “Right now, more that 105 million people could have their credit cards details stolen, their private videos and photos sold online, and their private conversations recorded, and sent to a server at a secret location.”
VPNpro, the team behind this research, has a strong form. They exposed Shenzhen Hawk, a Chinese subsidiary of the TCL Corporation, for loading malicious apps onto their Play Store. I shared these findings with Google. They quickly removed all 24 malicious apps from their store. This time, I did the same and Google started an immediate investigation.
This issue is more dangerous than any other. This issue is at the core of user safety and security. Worse, one of the most dangerous apps among the ten has had its reputation exposed numerous times. It is an app that has more than 100,000,000 installs. one review said that “this app raises so much red flags,” “that it is impossible to recommend even for the most basic of tasks.”
VPNpro, as it did before, has concentrated on the most popular free VPNs that were returned by a Play Store Search. The team “developed a proof-of-concept for creating a man in the middle (MITM attack) attack.” All this took place last year and the developers responsible were informed of their vulnerabilities by October. Best Ultimate VPN was one of the victims and responded by patching its software. VPNpro claims that none of the other apps responded to the disclosure and took no action. Google is currently investigating.
A VPN acts as a firewall that allows the device to connect to the outside world. This is especially important for public connections. If the VPN is compromised, the device could be used as a weapon against a threat actor.
VPNpro warns users that hackers can intercept communications including usernames and passwords as well as photos and videos. Each of the ten apps had some encryption issues, which could pose a risk to user data security.
“Because of these vulnerabilities,” VPNpro says, “hackers can easily force users to connect to their own malicious VPN servers.” The research team says in its report that “it’s disastrous that a VPN would have these vulnerabilities–after all, users are connecting to VPNs in order to increase their privacy and security… For a VPN app to be so vulnerable is a betrayal of user trust and puts those users in a worse position than if they hadn’t used a VPN at all.”
It is not possible to claim that these VPN operators are malicious actors or have used their apps for data abuse. It is likely that developers didn’t apply security diligence to their software, or they don’t even know about such issues. However, for users, the risks associated with these apps remain the same.
This is yet another reminder to Android users to be careful about what apps they download onto their phones. Just because an app is available on the Play Store doesn’t automatically make it safe to use. Apps from obscure or difficult-to-trace developers can be free for a reason. VPNpro says that these “very dangerous” apps have “critical vulnerabilities,” yet they have been downloaded from the Play Store by over 100 million users.
These vulnerabilities could cause victims to not be aware that an attack is underway. Worse, a victim of these vulnerabilities would not know that he or she is being attacked by a VPN. Worse, if a VPN is used to protect against dangerous surveillance, the user may be exposed to serious consequences.
These attacks are more random than targeted. To monitor connections to dangerous VPNs, a threat actor could likely create a malicious WiFi hotpot. Once a match is established, it is possible to trigger a connection. This sounds absurd. Imagine the threat from a popular app that has such vulnerabilities and is allied with a public WiFi connection close to the site of a demonstration or protest. All users would assume they are safe.
Mobile vulnerabilities are a soft entry point to many people’s lives. Security experts warn that attackers on larger systems often begin with the intercepting of mobile user credentials. There have been claims that state actors have attempted to hack messaging platforms using sophisticated exploits. You are vulnerable to an easier attack if you download unsecure software like the ones disclosed today.
SuperVPN is the most popular app, with over 100 million installed. The app’s vulnerabilities were described in prior research back to 2016. More recently, it was accused of manipulating Play Store to drive downloads. Surprisingly, SuperVPN had only 10,000 installs when it was first identified as a threat. It now has over 100 million.
VPNpro reports that SuperVPN connects to multiple hosts and some communications are sent via unsecured HTTP. These communications contained encrypted data. We did more digging and found the key to decrypt this information. The team said it was “surprised Google allowed such an app with over 100 million downloads to remain on Google Play Store with such a glaring vulnerability.”
This is disappointing for one of the most downloaded VPN apps on Google Play Store. It has been previously reported as having potential dangers. Although it is hard to find the developer of SuperVPN, I was able to contact the Beijing-based email address before publishing.
Six of the ten apps listed by VPNpro were still available in the Play Store at the time of publication. VPNpro recommends using common sense when choosing a VPN. Are they trustworthy? What permissions are required? Is the VPN from a privacy-friendly country?
VPNpro warns that “if you have downloaded any of these harmful apps”, VPNpro recommends that you delete them immediately.