10 VPN apps and companies you should not use. More than 100 million users at risk

An ethical hacking team has conducted a deep research on the major virtual private network (VPN) tools available on Google Play Store, discovering the presence of multiple security vulnerabilities in several of these applications, which could expose millions of users.

It should be remembered that a VPN it’s supposed to grant users complete privacy and anonymity in the use of the Internet, creating an individual private network from a public connection, hiding their IP and using more secure encrypted connections than conventional connections. Recently the use of VPNs has become popular due to the ability to evade geo-blocking on some online platforms such as Netflix, thus accessing restricted content in certain areas.

Jan Youngren and his team of ethical hacking specialists analyzed dozens of VPN tools, finding at least ten that have critical security flaws. According to the researcher, it is possible to exploit the vulnerabilities in these tools using Man-in-The-Middle (MiTM) attacks, an attack variant in which the threat actor intercepts communications between people or systems. According to the report, the applications with the most security flaws are:

  • SuperVPN Free VPN Client
  • TapVPN Free VPN
  • Best Ultimate VPN – Fastest Secure Unlimited VPN
  • Korea VPN – Plugin for OpenVPN
  • Wuma VPN-PRO (Fast & Unlimited & Security)*
  • VPN Unblocker Free Unlimited Best Anonymous Secure
  • VPN Download: Top, Quick & Unblock Sites*
  • Super VPN 2019 USA – Free VPN, Unblock VPN Proxy
  • Secure VPN-Fast VPN Free & Unlimited VPN*
  • Power VPN Free VPN*

*Apps that have already been removed from the Play Store

About 105 million users have downloaded some of these apps, so they could have been stolen from their login credentials, banking information or personal data. According to Youngren, “all navigation data collected by these applications is sent to unknown locations, controlled by potential threat actors. Users think they are browsing safely, but they are actually more exposed than when using a conventional network.”

In their paper, ethical hacking specialists claim to have notified all companies, although only one acknowledged the report and issued an update patch.

The International Institute of Cyber Security (IICS) recommends that users of any of the potentially affected applications review official developer platforms for more details on the state of their security.