Google have recently removed a shady Android VPN App from the Play Store. Identified as SuperVPN Free VPN Client, this app boasted 100 million installs and had vulnerabilities allowing for MiTM attacks.
SuperVPN Free VPN Client Bugs
A couple of months ago, researchers from VPNpro shared a detailed study about various VPN apps on the Play Store exhibiting vulnerabilities. The most noteworthy of all was the SuperVPN Free VPN Client app, which exhibited shady behavior alongside security bugs. the researchers have shared more details about this app. As revealed, the app not only had vulnerabilities allowing man-in-the-middle (MiTM) attacks. Rather it also used blackhat SEO tactics to top up the Play Store. Briefly, the app has its hardcoded encryption key stored within, allowing anyone accessing the key to decrypt all the data. Plus, it also became possible for an adversary to change the app’s data server.
In addition, the app also had no precise information regarding the owner – a clear violation of Google’s policy. The researchers informed Google of the matter via their Google Play Security Reward Program (GPSRP) following which, Google confirmed the existence of the vulnerabilities even with the latest version of SuperVPN. The researchers also tried contacting the developers of the app SuperSoftTech.
However, upon witnessing no response, Google removed the shady android VPN app SuperVPN Free VPN Client from the Play Store. Another app claiming to be the paid version of the VPN from the same developers still exists.