Google removes Android VPN with ‘critical vulnerability’ from Play Store
Virtual private networks (VPNs) let users create encrypted connections to online servers that then serve as their gateway to the Internet. They enable users to tunnel safely to the internet when using untrusted local connections such as those in public places like coffee shops. In theory, they should stop intruders from sniffing your traffic on insecure networks. SuperVPN is one of dozens of programs that supposedly serve this function for Android devices.
VPNpro, a company that reviews and advises on VPN products, warned in February of a vulnerability in the product that could cause a man in the middle (MITM) attack, enabling an intruder to insert themselves between the user and the VPN service. It said at the time:
What this VPN app has done is to leave its users, people seeking extra privacy and security, to actually have less privacy and security than if they’d used no VPN at all.
The program was sending encrypted data, but it hard coded the decryption key, the review site said. Decrypting the data revealed information about SuperVPN’s server, certificates, and authentication credentials. VPNpro was able to replace that data with its own.
That means the attacker can force SuperVPN to connect to a fake server, enabling them to see all of the user’s data including passwords, private text, and voice messages, VPNpro said.