An ethical hacking team has conducted a deep research on the major virtual private network (VPN) tools available on Google Play Store, discovering the presence of multiple security vulnerabilities in several of these applications, which could expose millions of users.
It should be remembered that a VPN it’s supposed to grant users complete privacy and anonymity in the use of the Internet, creating an individual private network from a public connection, hiding their IP and using more secure encrypted connections than conventional connections. Recently the use of VPNs has become popular due to the ability to evade geo-blocking on some online platforms such as Netflix, thus accessing restricted content in certain areas.
Jan Youngren and his team of ethical hacking specialists analyzed dozens of VPN tools, finding at least ten that have critical security flaws. According to the researcher, it is possible to exploit the vulnerabilities in these tools using Man-in-The-Middle (MiTM) attacks, an attack variant in which the threat actor intercepts communications between people or systems. According to the report, the applications with the most security flaws are:
- SuperVPN Free VPN Client
- TapVPN Free VPN
- Best Ultimate VPN – Fastest Secure Unlimited VPN
- Korea VPN – Plugin for OpenVPN
- Wuma VPN-PRO (Fast & Unlimited & Security)*
- VPN Unblocker Free Unlimited Best Anonymous Secure
- VPN Download: Top, Quick & Unblock Sites*
- Super VPN 2019 USA – Free VPN, Unblock VPN Proxy
- Secure VPN-Fast VPN Free & Unlimited VPN*
- Power VPN Free VPN*
*Apps that have already been removed from the Play Store
About 105 million users have downloaded some of these apps, so they could have been stolen from their login credentials, banking information or personal data. According to Youngren, “all navigation data collected by these applications is sent to unknown locations, controlled by potential threat actors. Users think they are browsing safely, but they are actually more exposed than when using a conventional network.”
In their paper, ethical hacking specialists claim to have notified all companies, although only one acknowledged the report and issued an update patch.
The International Institute of Cyber Security (IICS) recommends that users of any of the potentially affected applications review official developer platforms for more details on the state of their security.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.