Android Users Beware: 100 Million Users Must Delete This ‘Very Dangerous’ App Now

Discussion in 'Headline News' started by RickAgresta, Apr 8, 2020.

  1. RickAgresta

    RickAgresta Peanut, leader of the Peanutty Forces

    Likes Received:
    Trophy Points:
    It has taken some time, but after multiple warnings and reports, Google has now removed a security app from the Play Store that researchers have described as “very dangerous” and which has accumulated more than 100 million installs. “This app raises so many red flags,” one review warned a year ago, “that it's impossible to recommend for even the simplest of tasks,” and so its removal is not a surprise.

    Google is determined to crack down on hidden threats hiding in Android’s official store. Where those threats are overtly malicious malware, that’s straightforward. This time, though, the issue was a security vulnerability a Chinese developer had repeatedly failed to fix—a vulnerability that exposed users to “critical man-in-the-middle attacks.” That risk has now been removed. But for those with the app—SuperVPN—installed on their phones, you should delete it right away.

    SuperVPN’s risks were disclosed in previous research dating back to 2016. More recently, it was accused of manipulating the Play Store to drive installs. Alarmingly, when SuperVPN was first identified as being a risk it had just 10,000 installs. It now has more than 100 million. The latest security warnings came from VPNpro, as I reported in February, and I have been in contact with Google since then, as has the research team, seeking the app’s removal from Play Store.

    According to VPNpro, SuperVPN “allows hackers to intercept communications between the user and the provider, and even redirect users to a hacker’s malicious server instead of the real VPN server.” There is no inference that the app’s developer was responsible for any attacks or data interception. But the risks were well known and publicised, making it an open vulnerability for others to exploit.

    "In our tests,” VPNpro reported back in February, “we noticed that SuperVPN connects with multiple hosts, with some communications being sent via unsecured HTTP. This contained encrypted data. But after more digging, we found that this communication actually contained the key needed to decrypt the information.” The team says it is “surprised Google allows such a major app with at least 100 million installs to remain on the Play store with such a glaring vulnerability.”


    Google confirmed this vulnerability to the VPNpro team last month, and then today, April 7, took the decision to remove this popular app from its Play Store.

    The researchers’ testing found the following three issues with SuperVPN:
    1. Unencrypted HTTP traffic: “anyone sniffing can read your communications. Sending sensitive data over HTTP is highly unsecured, and this should be forbidden by the app developer.”
    2. Hardcoded encryption keys: Even where information is encrypted, “the keys to decrypt that information are found within the app.”
    3. Payload including EAP credentials: “VPNs use EAP credentials so users outside the app can’t connect to the same VPN server. By sending EAP credentials in an unencrypted payload, it defeats this purpose .”
    “The implications are pretty dire,” VPNpro warned in February. “More than 100 million people could have their credit card details stolen, their photos and videos sold online, their conversations recorded and sent to a server in a secret location.”

    scjjtt, lelisa13p, Hook and 1 other person like this.

Share This Page