Google has removed an Android VPN program from the Google Play store after researchers notified it of a critical vulnerability. The app, SuperVPN, has been downloaded over 100 million times.
Virtual private networks (VPNs) let users create encrypted connections to online servers that then serve as their gateway to the Internet. They enable users to tunnel safely to the internet when using untrusted local connections such as those in public places like coffee shops. In theory, they should stop intruders from sniffing your traffic on insecure networks. SuperVPN is one of dozens of programs that supposedly serve this function for Android devices.
VPNpro, a company that reviews and advises on VPN products, warned in February of a vulnerability in the product that could cause a man in the middle (MITM) attack, enabling an intruder to insert themselves between the user and the VPN service. It said at the time:
What this VPN app has done is to leave its users, people seeking extra privacy and security, to actually have less privacy and security than if they’d used no VPN at all.
The program was sending encrypted data, but it hard coded the decryption key, the review site said. Decrypting the data revealed information about SuperVPN’s server, certificates, and authentication credentials. VPNpro was able to replace that data with its own.
That means the attacker can force SuperVPN to connect to a fake server, enabling them to see all of the user’s data including passwords, private text, and voice messages, VPNpro said.
VPNpro’s researcher Jan Youngren discovered the vulnerability in October 2019, adding that its developer, SuperSoftTech, likely based in Beijing, didn’t respond to its notification. Instead, it notified the Google Play Security Reward Program (GPSRP), operated for Google by HackerOne. That team couldn’t get a response from SuperSoftTech either, so it removed the program from the Google Play store on 7 April, 2020.
This isn’t the first time that SuperVPN has cropped up in vulnerability research. It also got a mention in a 2016 paper that researched security risks in Android VPNs. That research, presented at the Association for Computing Machinery’s 2016 Internet Measurement Conference (IMC), found that 13 antivirus programs detected malware activity in the software. It took third place in a ranking of Android VPNs most often flagged with malware-like activity by antivirus programs.
SuperVPN wasn’t the only Android VPN to raise VPNpro’s concerns. It identified nine others in its February blog post that it said had critical vulnerabilities leaving their users vulnerable to to MITM attacks. A quick check shows that several of them are still available for download on the Play Store.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Tharun
In your news it is told that SuperVPN has been removed. But i see still it is available in play store!
So are you or google spreading fake news?
Paul Ducklin
I just had a look and the one on Google Play is the Pro version. “This is the pro version of SuperVPN Free. Users need to buy VIP to use the service.”
I can only assume that Google found that the pay-to-play flavour of the app didn’t have the same coding issues…