Google has removed a popular Android VPN from the Play Store after vulnerabilities were discovered in the service that could allow hackers to redirect users to malicious servers.
SuperVPN – the offending service – has more than 100 million installs and featured among the top five VPN search results in Google’s app store before it was withdrawn.
The VPN contains vulnerabilities that open to door to man-in-the-middle (MITM) attacks, which can expose messages sent between the user and provider and – most critically – redirect users away from bonafide VPN servers.
Rigorous testing also revealed the app allows sensitive data to be delivered over insecure HTTP. While the information passed between the user and the backend is encrypted, the decryption keys are stored within the app itself, making them an easy target for hackers.
SuperVPN privacy concerns
SuperVPN has drawn criticism on multiple occasions over its suspicious practices, and the precise origin of the application remains unclear.
Its publisher SuperSoftTech is listed as Singapore-based, but an investigation into the app’s lineage reveals it is owned by Jinrong Zheng, an independent developer likely based in Beijing.
Zheng is also responsible for LinkVPN – which is ostensibly based in Hong Kong – and is connected with Shenyang Yiyuansu Network Technology, the app developer listed against SuperVPN on the Apple App Store.
SuperVPN was first identified as a security threat in 2016, when Australian researchers ranked it third in an analysis of the most malware-rigged VPN apps, suggesting the app has posed risks since it arrived on Google Play Store. At this point in time, it had been installed only 10,000 times.
The app’s user base has doubled from 50 to 100 million since January, in line with the significant uptick in worldwide VPN usage prompted by the ongoing pandemic, placing vast numbers of users at risk.
The surge in installs can also be attributed in part to manipulation of Google Play Store search rankings. The publisher reportedly flooded its page with a high volume of fake reviews from hidden users and generated illegitimate backlinks to secure an optimal position in the rankings.
The millions of SuperVPN users are advised to delete the application immediately.