Major vulnerabilities found in top free VPN apps on Google Play store
Update (April 8): Google has removed the SuperVPN app from the Play store. You can read about it here.
Update (April 3): We shared our findings directly with Google through Google Play Security Reward Program – a vulnerability disclosure program on HackerOne, since we were unable to contact Super VPN’s developer directly. Google’s HackerOne program allows for disclosures of apps with more than 100 million downloads. On March 19, the team was able to confirm that the vulnerability was still present in the newest version of Super VPN.
We are currently working with Google to get in touch with the app developer to help fix the vulnerability. At this point, the app is still available on the Play store, gaining new installs every day and putting its users at risk.
SuperVPN Free VPN Client is one of the most popular free VPN apps you can find on the Google Play store, having gained more than 100 million installs already.
But besides being a very popular app, there’s something else you need to know about this free VPN: SuperVPN Free VPN Client is also very dangerous. You see, our analysis shows that this app has critical vulnerabilities that opens it up to dangerous attacks known as man-in-the-middle (MITM) hacks. These vulnerabilities will allow hackers to easily intercept all the communications between the user and the VPN provider, letting the hackers see everything the user is doing.
This is actually quite the opposite of what a VPN is supposed to do. A VPN is supposed to keep your online activities private and secure from all snooping eyes. In fact, a VPN is supposed to be so safe that, even if a hacker could intercept these communications, it would take them longer than the age of the universe to even begin to decrypt the data. But that’s not what SuperVPN has done here.
What this VPN app has done is to leave its users, people seeking extra privacy and security, to actually have less privacy and security than if they’d used no VPN at all.
The implications here are pretty dire. Based on our research, more than 105 million people could right now be having their credit card details stolen, their private photos and videos leaked or sold online, every single minute of their private conversations recorded and sent to a server in a secret location. They could be browsing a fake, malicious website set up by the hacker and aided by these dangerous VPN apps.
But what’s even worse is that this app isn’t alone: of the top VPN apps we analyzed, 10 free VPN apps have similar critical vulnerabilities. If you’ve installed any of these dangerous VPN apps, you should delete them immediately:
About this research
In order to undertake our analysis, we first developed a proof of concept for creating a man-in-the-middle (MITM) attack. We then looked at the top apps in Google Play that were returned when searching for the keyword “vpn” in January 2019. We first attempted our MITM attack on two top-10 VPNs – SuperVPN and Best Ultimate VPN – and then filtered and tested the remaining apps.
We disclosed these vulnerabilities to all 10 affected VPN apps in October 2019 and provided them with enough time to fix these issues. Unfortunately, only one of them, Best Ultimate VPN, answered and ultimately patched their app based on the information we provided within this 90-day period. The others did not respond to our queries.
We’ve also reported these vulnerabilities to Google, but so far haven’t heard anything back from them yet.
Key takeaways
- 10 of the top free VPN apps in the Google Play store have significant vulnerabilities, affecting nearly 120 million users
- These vulnerabilities allow hackers to easily intercept user communications, including seeing the visited websites and stealing usernames and passwords, photos, videos, and messages
- 2 apps use hard-coded cryptographic keys, and 10 apps are missing encryption of sensitive data. 2 of these apps suffer from both vulnerabilities.
- One app was already identified as malware, but never removed from the Play store, gaining 100 million installs in the meantime. In earlier research, we identified this app for potentially manipulating Google Play in order to rank highly and get more installs
- 4 of the affected apps are located in Hong Kong, Taiwan or mainland China
- Some apps have their encryption keys hard-coded within the app. This means that, even if the data is encrypted, hackers can easily decrypt this data with the included keys
- Because of the vulnerabilities, hackers can easily force users to connect to their own malicious VPN servers
Let’s take an in-depth look at one app to show what kind of vulnerabilities we found.
SuperVPN putting 100 million users at risk
SuperVPN is a highly popular Android VPN that was in position 5 for the “vpn” keyword at the time of our analysis. According to Google Play, the app has been downloaded more than 100 million times (in January 2019 it only had 50 million installs):
Just to show you how big of a number that is for any VPN, this is the same number of installs for much more popular apps like Tinder and AliExpress:
What we did
In our tests, we noticed that SuperVPN connects with multiple hosts, with some communications being sent via unsecured HTTP. This communication contained encrypted data. But after more digging, we found that this communication actually contained the key needed to decrypt the information.
What we found
After decrypting the data, we found sensitive information about SuperVPN’s server, its certificates, and the credentials that the VPN server needs for authentication. Once we had this information, we replaced the real SuperVPN server data with our own fake server data.
Who is behind SuperVPN?
SuperVPN and its developer SuperSoftTech have been in our sights before. Our previous research analyzed the few companies secretly behind many VPN products. From that, we know that SuperSoftTech claims to be based in Singapore, but it actually belongs to the independent app publisher Jinrong Zheng, a Chinese national likely based in Beijing.
We also discovered that SuperVPN had been called out before in a 2016 Australian research article [pdf] as being the third-most malware-rigged VPN app.
At that time, in 2016, SuperVPN had only 10,000 installs. Now, three years later, it already has more than 100 million installs. Surprisingly, even though multiple articles called out SuperVPN for containing malware, it still hasn’t been removed from the Play store.
This is only one example of vulnerabilities we found in all 10 apps listed in this article.
A reputation for manipulation
SuperVPN was discussed before in our earlier research on the potential manipulation tactics the top VPNs were using to seemingly rank higher in Google Play results.
In that research, we discovered that the top 10 results for the “vpn” keyword in Google Play were all free VPNs. They were ranking more highly than market leader VPNs, such as NordVPN and ExpressVPN. Our research discovered that these better-ranked apps seemed to be using three easy manipulation techniques to get such high rankings.
That means that SuperVPN by SuperSoftTech seems to not only be using manipulation techniques to rank highly in Google Play, but is also dangerously vulnerable.
We attempted to contact Mr. Zheng on multiple occasions, but we have not heard back from him.
Recommended reads:
There are many reliable VPN services that aren’t involved in Google Play manipulations. We recommend reading our VPN comparisons before you make up your mind and choose a trustworthy VPN service:
ExpressVPN vs Private Internet Access
How MITM hackers penetrate VPN apps
In order to really understand how critical and dangerous these vulnerabilities are, you have to understand a little of how users normally connect to VPNs.
The exact process for VPNs can seem a bit complicated, but the connection is pretty simple.
Now, with a hacked VPN connection, there’s a MITM hacker who positioned himself right in the middle of your app and the VPN’s backend server:
And this is the dangerous part: by changing the details, he can now force you to connect to his malicious server instead of the real VPN server. While everything will appear to work normally, and you think that you’re being extra safe and secure, you’re actually being seriously exposed.
If you’re browsing the internet through his VPN server, he will be able to see all your communications: your private text and voice messages, your passwords, your photos and videos.
In total, your personal life is exposed, and it’s only limited by the hacker’s imagination what he can do with all that data.
What this means for your safety
This is a disastrous finding on two levels. In the broader sense, it’s disastrous that any app that participates in user data would have these wide-open vulnerabilities that make it particularly easy for hackers and government agencies to monitor user communications.
For a VPN app to be so vulnerable is a betrayal of users’ trust and puts them in a worse position than if they hadn’t used any VPN at all.
In a more specific, and more dangerous, sense, it’s disastrous that a VPN would have these vulnerabilities. After all, users are connecting to VPNs in order to increase their privacy and security. For that reason, they’re more willing to transmit sensitive information on VPN apps than on other apps. For a VPN app to then be so vulnerable is a betrayal of users’ trust and puts them in a worse position than if they hadn’t used any VPN at all.
However, there could be something larger at play here. When looking at these apps together, there seem to be two essential possibilities:
- These core vulnerabilities are intentional for these free VPN apps. After all, since a successful MITM attack would allow someone the ability to monitor sensitive user data or send phishing emails (or reroute users to fake VPN servers) without the user’s knowledge, that’s a useful tool for any surveillance-hungry organization or nation.
- On the other hand, we should probably not attribute to malice what can be explained by stupidity – or here, laziness. In simple terms, the app developers here are so focused on getting high amounts of users and stuffing their app with ads, that they placed lower priority on the core security features of their apps.
While one possibility may seem worse than another, at some point only the result matters: people using these vulnerable apps are putting their data – and possibly their lives – in danger.
Based on that essential fact alone, we highly recommend users avoid these vulnerable VPN apps at all costs. When looking for an effective VPN, we recommend users do their due diligence. Ask yourself the following questions:
- Do I know this VPN developer or brand? Do they seem trustworthy?
- Where is the VPN located? Is it in a privacy-friendly country?
- For mobile apps, what permissions are they requiring? Do they actually need those permissions to function (such as the camera, GPS, microphone)?
- Free is great – but can you trust this VPN? There are a few commendable free VPNs or VPNs with free options from reputable brands.
Taking an active role in filtering out the good VPNs from the bad ones will save users a lot of trouble later on. Here are few tested VPNs:
Free VPNs to hide your identity online:
Free VPNs for movie lovers:
Tested VPNs best for movies:
Check out our other research:
Chinese company is secretly behind 24 popular apps seeking dangerous permissions
Free antivirus apps requesting huge amounts of dangerous permissions they don’t need
How to beat Google Play’s algorithm and get 280 million installs
Hidden VPN owners unveiled: 101 VPN products run by just 23 companies
Study: how the world’s top websites track your online behavior
Disclaimer:
We meticulously research our stories and endeavor to present an accurate picture for our readers. We’re also human, and if you believe we have made a factual error (as opposed to disagreeing with an opinion), please contact us so that we may investigate and either correct or confirm the facts. Please reach out to us using our Contact Us page.