Nearly two dozen VPN applications in Google Play contain security weaknesses impacting the privacy of their users, exposing transmitted data to decryption, a new Citizen Lab report shows.
Furthermore, the VPN providers that offer these applications can be linked to one another, although they claim to be separate entities and use various means to hide their true identities.
Starting from previous reports linking Innovative Connecting, Autumn Breeze, and Lemon Clove, three VPN providers claiming to be based in Singapore, to a Chinese national, Citizen Lab’s analysis identified additional connections between their applications, and linked other VPN apps and their providers.
According to Citizen Lab’s report (PDF), eight VPN applications from Innovative Connecting, Autumn Breeze, and Lemon Clove share code, dependencies, and hardcoded passwords, potentially allowing attackers to decrypt the traffic of their users. These apps have over 380 million combined downloads in Google Play.
All three companies, which were previously found to have ties with Qihoo 360, a Chinese cybersecurity firm that the US sanctioned in 2020, provide application layer VPN services and rely on the Shadowsocks protocol, which was designed to circumvent the Great Firewall of China.
The protocol uses symmetric encryption and is susceptible to various attacks, due to the use of deprecated ciphers and hardcoded passwords. Furthermore, its interaction with the operating system’s connection tracking framework allows an attacker to take over connections.
The eight apps, namely Turbo VPN, Turbo VPN Lite, VPN Monster, VPN Proxy Master, VPN Proxy Master – Lite, Snap VPN, Robot VPN, and SuperNet VPN, support the IPsec and Shadowsocks protocols, show significant code overlaps, and implement mechanisms to deceive analysis and automated security checks.
All applications were found susceptible to connection interference and packet injection attacks, all collect user location information, use weak encryption, and contain a hardcoded password for Shadowsocks configuration.
Using the hardcoded password, Citizen Lab discovered that the three VPN providers offering these applications share the same infrastructure, further tightening the link between them.
Another group of providers, namely Matrix Mobile PTE LTD, ForeRaya Technology Limited, Wildlook Tech PTE LTD, Hong Kong Silence Technology Limited, and Yolo Mobile Technology Limited, could be linked through their use of the same protocols, code similarities, and obfuscation.
Their VPN clients, which have more than 380 million combined downloads, were found susceptible to connection inference attacks, contain obfuscated passwords, and connect to the same set of IP addresses.
Two other providers, Fast Potato Pte. Ltd and Free Connected Limited, offer VPN clients that rely on the same proprietary protocol implementation.
Citizen Lab also analyzed three applications from VPN Super Inc., Miczon LLC, and Secure Signal Inc., which appear to have no links to other VPNs, and which do not use obfuscation beyond ProGuard.
According to Citizen Lab, the security and privacy issues identified within the analyzed applications have varying impact on users, such as the violation of trust and privacy through undisclosed location collection, and the exposure to traffic interception and tampering.
“The issues we identified affect users, providers, and app stores. At a minimum, VPN users who value privacy should avoid using Shadowsocks, including the apps from these developers, as Shadowsocks was not designed to facilitate privacy, merely censorship circumvention,” Citizen Lab notes.
Related: Web Hosting Firms in Taiwan Attacked by Chinese APT for Access to High-Value Targets
Related: 300 Malicious ‘Vapor’ Apps Hosted on Google Play Had 60 Million Downloads
Related: PCI DSS 4.0.1: A Cybersecurity Blueprint by the Industry, for the Industry
Related: How Traffic, State, and Organizational Data Help Fortify Your Network
