Critical vulnerabilities in top Android VPN apps allow data theft

Security researchers have discovered critical vulnerabilities in top VPN apps offered for free on Android devices . The vulnerabilities allow attackers to perform Man-in-the-Middle attacks and steal sensitive  user data .

There are many dangerous VPN apps installed on more than 120 million devices . The free VPN, called SuperVPN , is installed on at least 100 million Android devices .

This VPN application is used by users in 150 countries.

SuperVPN is designed by SuperSoftTech , a Singapore-based company. In fact, however, it belongs to freelance application publisher, Jinrong Zheng , from China .

Unencrypted communications

Security investigators examined SuperVPN and found that sensitive encrypted data was being sent via unsecured HTTP.

The VPN application also contains an encryption key that allowed researchers to decrypt the data.

This results in finding sensitive data about the SuperVPN server , its certificates and the credentials that the VPN server needs to authenticate.

Attackers can use this information and replace the actual SuperVPN server data with false server data.

The severity of the vulnerabilities

According to experts, attackers can exploit VPN vulnerabilities and monitor users’ communications and activities . In this way, they can access sensitive data, such as sites visited by users . In addition, they can steal usernames and passwords, photos , videos, messages and more.

According to researchers, “some applications have their encryption keys in the VPN application. This means that even if the data is encrypted, hackers can easily decrypt it using these keys. “

VPN application developers have left some of the keys behind helping attackers gain easy access to encrypted user data.

“In 2016, SuperVPN had only 10,000 downloads. Now, it has more than 100 million. Although many articles said that SuperVPN was malicious , it has not yet been removed from the Play Store, ”the researchers said.