There are many reasons consumers choose to use a virtual private network (VPN) — from bypassing censorship rules to streaming TV shows and torrenting music.
Their primary assumption is that whatever they’re doing is done on a network that keeps their web browsing and personal data safe.
But this may not always be the case. Recent VPNpro research uncovers concern over the common use of malicious apps, including VPN apps, largely due to the fact that Google Play has failed to warn against or restrict download access in its store. (Learn more by reading: “Using a Free VPN? Not Really. You’re Most Likely Using a Data Farm.”)
SuperVPN — Not So Super or Private
This is one of the most popular free VPN apps on the Google Play store, with 100 million+ installs. However, every install signifies an unaware consumer whose data may be either at risk or already compromised.
VPN services are designed to keep your online activities private and secure from all prying eyes. It’s supposed to be so safe that even if a hacker could intercept data from the network, it would take them longer than the age of the universe to begin to decrypt it. But this may be more of a lofty goal than a reality for some VPN apps.
The research reveals critical vulnerabilities of the SuperVPN app, making it susceptible to dangerous man-in-the-middle (MITM) attacks, which allow hackers to intercept all communication between the user and the VPN provider — effectively negating the reason the user turned to a VPN in the first place.
What Are the Implications?
This research suggests that more than 105 million people are at risk for having their credit card details stolen, private photos and videos leaked or sold online, or private conversations recorded and sent to a secret server. They could be browsing malicious websites set up by hackers and aided by dangerous apps like SuperVPN. (Read Common Methods Hackers Are Using To Crack Your Cellular Phone.)
But it’s not just SuperVPN that’s problematic.
Of the top VPN apps analyzed by VPNpro, 10 free VPN apps appear to have critical vulnerabilities:
● SuperVPN Free VPN Client (100 million installs)
● TapVPN Free VPN (10 million installs)
● Best Ultimate VPN — Fastest Secure Unlimited VPN (5 million installs)
● Korea VPN — Plugin for OpenVPN (1 million installs)
● Wuma VPN-PRO (1 million installs)
● VPN Unblocker Free unlimited/best anonymous secure (1 million installs)
● VPN Download: Top, Quick & Unblock Sites (500,00 installs)
● Super VPN 2019 USA — Free VPN, Unblock Proxy VPN (50,000 installs)
It’s unclear if the vulnerabilities uncovered in these apps are a result of malicious intent or lazy app development. One thing is clear — if you’ve installed any of these VPN apps, you should delete them immediately.
And What is Google Play Doing About It?
SuperVPN was identified by multiple sources as malware more than three years ago. At the time, it had only amassed 10,000 installs. By being allowed to remain on the Google Play store, it has surpassed 100 million installs. (Read How to Find and Remove Camera Malware.)
That means 99,990,000 additional people are at risk for having their data compromised since the app was initially flagged. And, this number is climbing, as it is still available for download, as of the date of publication.
To make matters worse, VPNpro’s earlier research uncovered that the app may have been able to manipulate Google Play in order to rank highly and encourage more installs.
These issues point to one that is much larger and more alarming — that Google does a poor job filtering apps that they approve to the Google Play store.
Problematic Apps in the Google Play Store
One would assume that apps available in the official Google Play store have all been vetted, validated and approved to be safe. But, this is clearly not the case. And VPN apps aren’t the only problematic apps in the Google Play store.
The malware-infected Weather Forecast app harvested millions of users’ data and sent that to a server in China. It subscribed users to premium phone numbers, leading to high phone bill charges, and launched hidden browser windows in order to click on ads from certain web pages.
In 2017, the Indian government warned its army and paramilitary members to delete Virus Cleaner from their phones because the app was identified as spyware or other malware.
In 2018, default apps on Alcatel phones, developed by Shenzhen HAWK, were replaced by adware-riddled apps, frustrating users with excessive advertisements.
There are many more potentially dangerous apps. Until recently, all of these affected apps were available to download on Google Play. In an unprecedented move, Google decided to remove all Shenzhen HAWK apps from the Play store based on VPNpro’s in-depth research.
Malicious Intent — Or Something Else?
Google is a mammoth entity. It’s entirely fair to assume that the Google machine runs a bit more slowly because of its complexity.
One theory for Google’s delay in response and action is due to a desire to speak directly to the app developer, verify or refute claims, and work on fixes. It’s also plausible that Google is concerned about its bottom line and that risky apps with low install numbers (i.e. low revenue) are removed more quickly than risky apps with high install numbers.
As with most everything else, the truth probably lies somewhere in the middle.
How to Protect Yourself From Malicious Apps
Because Google hasn’t really succeeded in removing all dangerous apps from the Play store to protect Android VPN users, consumers must take matters into their own hands.
You can usually tell if your device has been affected by malware or adware when you notice significant changes in performance. If you’re unsure, check out this forum for more.
A few ways to protect yourself before an attack:
● Audit the apps you have on your phone or other devices with the question of whether or not you really need them or even use them on a frequent basis.
○ If they provide no real benefit, consider deleting them altogether.
○ if you don’t trust an app or clearly understand what data they’re collecting and why, delete!
● Check app reviews before downloading a new app.
● Run additional third-party malware scanners on top of what Google already provides.