Google Removed Shady Android VPN App That Allowed MiTM Attacks

Google have recently removed a shady Android VPN App from the Play Store. Identified as SuperVPN Free VPN Client, this app boasted 100 million installs and had vulnerabilities allowing for MiTM attacks.

SuperVPN Free VPN Client Bugs

A couple of months ago, researchers from VPNpro shared a detailed study about various VPN apps on the Play Store exhibiting vulnerabilities. The most noteworthy of all was the SuperVPN Free VPN Client app, which exhibited shady behavior alongside security bugs.

Now, in a recent post, the researchers have shared more details about this app. As revealed, the app not only had vulnerabilities allowing man-in-the-middle (MiTM) attacks. Rather it also used blackhat SEO tactics to top up the Play Store.

Briefly, the app has its hardcoded encryption key stored within, allowing anyone accessing the key to decrypt all the data. Plus, it also became possible for an adversary to change the app’s data server. As explained by the researchers,

We discovered that SuperVPN connects with multiple hosts. On one of these hosts, we discovered that a package (payload) was being sent from the app via unsecured HTTP…
After more digging, we found that the payload actually contained the key needed to decrypt the information. After decrypting and decoding this data, we found it contained sensitive server information, its certificates, and the credentials that the VPN server needs for authentication. Once we had this information, we replaced the real SuperVPN server data with our own server data.

In addition, the app also had no precise information regarding the owner – a clear violation of Google’s policy. We suggest you to look at le migliori vpn for verified VPN sites

Google Removed The Shady VPN App

The researchers informed Google of the matter via their Google Play Security Reward Program (GPSRP) following which, Google confirmed the existence of the vulnerabilities even with the latest version of SuperVPN. The researchers also tried contacting the developers of the app SuperSoftTech. However, upon witnessing no response, Google removed the shady android VPN app SuperVPN Free VPN Client from the Play Store.

Another app claiming to be the paid version of the VPN from the same developers still exists.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients