Saturday, April 19, 2025
HomeAndroidMajor Vulnerabilities in Top Free Android VPN Apps Let Hackers Stealing Passwords,...

Major Vulnerabilities in Top Free Android VPN Apps Let Hackers Stealing Passwords, Photos, Messages From 120 Million Users

Published on

SIEM as a Service

Follow Us on Google News

Researchers discovered major vulnerabilities in several Free VPN apps for Android that allow attackers to perform dangerous Man-in-the-Middle Attacks and steal usernames, passwords, photos, videos, messages and more.

There are several VPN’s caught in this list that downloaded more than 120 million times from Google Play and the Free VPN called SuperVPN alone downloaded 100 million times.

In this list, SuperVPN gained a huge impression among the Android community, and it has been downloaded from nearly 150 countries.

- Advertisement - Google News

SuperVPN is developed by SuperSoftTech, a Singapore based company but it actually belongs to the independent app publisher Jinrong Zheng from China.

Users Traffic via Unencrypted Communication

Researchers tested the SuperVPN that connects the multiple hosts, in which several communications that contain sensitive encrypted data is being sent via unsecured HTTP.

Also, the communication contains a decryption key that required to decrypt the information while in transit, using the key, researchers were able to decrypt the data.

It leads to finding some of the sensitive data about SuperVPN’s server, its certificates, and the credentials that the VPN server needs for authentication.

This information enough to replace the real SuperVPN server data with fake server data by the attackers.

The Seriousness of the Vulnerabilities

By abusing the vulnerability, hackers will intercept the communication of the users, and accessing some of the most sensitive data including the visited websites and stealing usernames and passwords, photos, videos, and messages and more.

According to VPNpro Research “Some apps have their encryption keys hard-coded within the app. This means that, even if the data is encrypted, hackers can easily decrypt this data with the included keys “

App developers left some of the encryption keys hard-coded within the app that helps attackers to easily access the encrypted data and also force users to connect the malicious VPN servers and redirect the traffic to their own servers.

“At that time, in 2016, SuperVPN had only 10,000 installs. Now, three years later, it already has more than 100 million installs. Surprisingly, even though multiple articles called out SuperVPN for containing malware, it still hasn’t been removed from the Play store.” VPNPro said.

Follow us on Twitter, Linkedin, Facebook for Daily cyber security & hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

How To Detect Obfuscated Malware That Evades Static Analysis Tools

Obfuscated malware presents one of the most challenging threats in cybersecurity today. As static...

How Security Analysts Detect and Prevent DNS Tunneling Attack In Enterprise Networks

DNS tunneling represents one of the most sophisticated attack vectors targeting enterprise networks today,...

How to Conduct a Cloud Security Assessment

Cloud adoption has transformed organizations' operations but introduces complex security challenges that demand proactive...

U.S DOGE Allegedly Breached – Whistleblower Leaked Most Sensitive Documents

A federal whistleblower has accused the Department of Government Efficiency (DOGE) of orchestrating a...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

How To Detect Obfuscated Malware That Evades Static Analysis Tools

Obfuscated malware presents one of the most challenging threats in cybersecurity today. As static...

How Security Analysts Detect and Prevent DNS Tunneling Attack In Enterprise Networks

DNS tunneling represents one of the most sophisticated attack vectors targeting enterprise networks today,...

U.S DOGE Allegedly Breached – Whistleblower Leaked Most Sensitive Documents

A federal whistleblower has accused the Department of Government Efficiency (DOGE) of orchestrating a...