Security researchers have discovered critical vulnerabilities in top VPN apps offered for free on Android devices . The vulnerabilities allow attackers to perform Man-in-the-Middle attacks and steal sensitive  user data .

There are many dangerous VPN apps installed on more than 120 million devices . The free VPN, called SuperVPN , is installed on at least 100 million Android devices .

This VPN application is used by users in 150 countries.

Android

SuperVPN is designed by SuperSoftTech , a Singapore-based company. In fact, however, it belongs to freelance application publisher, Jinrong Zheng , from China .

Unencrypted communications

Security investigators examined SuperVPN and found that sensitive encrypted data was being sent via unsecured HTTP.

The VPN application also contains an encryption key that allowed researchers to decrypt the data.

This results in finding sensitive data about the SuperVPN server , its certificates and the credentials that the VPN server needs to authenticate.

Attackers can use this information and replace the actual SuperVPN server data with false server data.

The severity of the vulnerabilities

According to experts, attackers can exploit VPN vulnerabilities and¬†monitor users’ communications and activities¬†.¬†In this way, they can access sensitive data, such as¬†sites¬†visited by¬†users¬†.¬†In addition, they can¬†steal usernames and passwords,¬†photos¬†, videos, messages and more.

According to researchers, “some¬†applications¬†have their encryption keys in the VPN¬†application.¬†This means that even if the data is encrypted,¬†hackers¬†can easily¬†decrypt it¬†using these keys. “

VPN application developers have left some of the keys behind helping attackers gain easy access to encrypted user data.

‚ÄúIn 2016, SuperVPN had only 10,000 downloads.¬†Now, it has more than 100 million.¬†Although many articles said that SuperVPN was¬†malicious¬†,¬†it has not yet been removed from the Play Store,¬†‚ÄĚthe researchers said.

1 COMMENT

Leave a Reply