Tuesday, September 17, 2024
HomeAndroidMajor Vulnerabilities in Top Free Android VPN Apps Let Hackers Stealing Passwords,...

Major Vulnerabilities in Top Free Android VPN Apps Let Hackers Stealing Passwords, Photos, Messages From 120 Million Users

Published on

Researchers discovered major vulnerabilities in several Free VPN apps for Android that allow attackers to perform dangerous Man-in-the-Middle Attacks and steal usernames, passwords, photos, videos, messages and more.

There are several VPN’s caught in this list that downloaded more than 120 million times from Google Play and the Free VPN called SuperVPN alone downloaded 100 million times.

In this list, SuperVPN gained a huge impression among the Android community, and it has been downloaded from nearly 150 countries.

- Advertisement - EHA

SuperVPN is developed by SuperSoftTech, a Singapore based company but it actually belongs to the independent app publisher Jinrong Zheng from China.

Users Traffic via Unencrypted Communication

Researchers tested the SuperVPN that connects the multiple hosts, in which several communications that contain sensitive encrypted data is being sent via unsecured HTTP.

Also, the communication contains a decryption key that required to decrypt the information while in transit, using the key, researchers were able to decrypt the data.

It leads to finding some of the sensitive data about SuperVPN’s server, its certificates, and the credentials that the VPN server needs for authentication.

This information enough to replace the real SuperVPN server data with fake server data by the attackers.

The Seriousness of the Vulnerabilities

By abusing the vulnerability, hackers will intercept the communication of the users, and accessing some of the most sensitive data including the visited websites and stealing usernames and passwords, photos, videos, and messages and more.

According to VPNpro Research “Some apps have their encryption keys hard-coded within the app. This means that, even if the data is encrypted, hackers can easily decrypt this data with the included keys “

App developers left some of the encryption keys hard-coded within the app that helps attackers to easily access the encrypted data and also force users to connect the malicious VPN servers and redirect the traffic to their own servers.

“At that time, in 2016, SuperVPN had only 10,000 installs. Now, three years later, it already has more than 100 million installs. Surprisingly, even though multiple articles called out SuperVPN for containing malware, it still hasn’t been removed from the Play store.” VPNPro said.

Follow us on Twitter, Linkedin, Facebook for Daily cyber security & hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Creating An AI Honeypot To Engage With Attackers Sophisticatedly

Honeypots, decoy systems, detect and analyze malicious activity by coming in various forms and...

Key Russian Hacker Group Attacking Users With .NET Built Ransomware

The Russian ransomware group Key Group, active since early 2023, is targeting organizations globally,...

Chinese Hackers Charged for Multi-Year Spear-Phishing Attacks

Song Wu, a Chinese national, has been indicted on charges of wire fraud and...

Entro Security Labs Releases Non-Human Identities Research Security Advisory

Analysis of millions of real-world NHI secrets by Entro Security Labs reveals widespread, significant...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Creating An AI Honeypot To Engage With Attackers Sophisticatedly

Honeypots, decoy systems, detect and analyze malicious activity by coming in various forms and...

Critical Vulnerabilities Impact Million of D-Link Routers, Patch Now!

Millions of D-Link routers are at risk due to several critical vulnerabilities. Security researcher...

Windows MSHTML Zero-Day Vulnerability Exploited In The Wild

Adobe released eight security updates in September 2024, addressing 28 vulnerabilities in various products,...