- A new study has found hidden links between 21 VPN among the most downloaded VPN applications on Google Play Store
- VPN applications share security problems that could put users at risk
- It has also been found that some of these applications have not revealed ties with Russia and China
Researchers have discovered hidden connections between almost two dozen apparently independent VPN applications, asking questions about transparency and trust.
The new academic study reveals three families of VPN clients that share code and infrastructure bases, despite not appearing in application stores.
The results point to shared security failures in virtual private network applications (VPN), which have combined downloads of more than 700 million.
This lack of dissemination of 21 of the 100 most downloaded VPN applications in Google Play Store is providing consumers with a false sense of choice by downloading what they think are competitors VPN services.
The findings confuse a VPN market in which users trust that suppliers be transparent about their property and operations to make an informed decision about which is the best VPN to trust their data.
Three Families of VPN Applications
The document, the hidden links: analyze the secret families of VPN applications, select the 100 most downloaded VPN applications on Google Play Store, reducing them to 50, some of which have already been found that they have ties with Russia and China.
The authors, Benjamin Mixon-Baca (Asu/Breaking Bad), Jeffrey Knockel (Citizen Lab/Bowdoin College) and Jedidiah R. Crandall (Arizona State University), combined information on commercial presentations and Android APK to identify links between suppliers.
Three VPN suppliers families were identified:
- Family aIt was found that the innovative connection, the autumn breeze and the lemon nail, was collectively responsible for eight VPN applications. This includes Turbo VPN, VPN Proxy Master and Snap VPN, all sharing code, libraries and almost identical assets.
- Family bComposed by Matrix Mobile, Forelay Technology and Wildlook Tech, among others, is responsible for the VPN, including Xy VPN, 3x VPN and Melon VPN. The VPNs were linked through their use of the same protocols and obfuscation, and the exchange of VPN IP addresses.
- Family cIt consists of fast and limited potato free, is behind Fast Potato VPN and X-VPN, and shares the same implementation and obfuscation of the patented protocol.
Failures and threats shared in VPN applications
The research discovered several vulnerabilities that put the safety and privacy of the user at risk. Specifically, the applications contained SMOWSOCKS credentials coded in their APK. With the same widely reused password, the attackers that extract them can decipher user traffic.
The researchers identified several applications that use obsolete or insecure encryptions for shadowsocks without adequate IV protection. For less technicians, this significantly reduces the effectiveness of the encryption, opening the door to the deciphering or other cryptographic attacks.
It was also discovered that the three VPN applications were vulnerable to blind attacks on the route. This occurs when an attacker on the same network, such as public wifi, infers information on active connections, even with VPN tunnels instead.
Application stores are not correctly investigating VPNs
The study emphasizes the limitations of App Store verification systems, which focus on malware detection and privacy violations, but do not verify who is behind the software of a VPN or how it is built.
Despite the three VPN families identified in the study that represent more than 700 million downloads, the Google Play store tried each application as an independent product. Google failed to catch coordinated attempts to hide superimposed property and shared security failures.
Researchers recognize that Challenge application stores face developer research and identify vulnerable software, suggesting that the safety audit badge for VPN applications will be mandatory and raises the idea of an identity verification badge for developers.
Without more strict applications verification measures, the same vulnerabilities discovered in the study will continue to extend without control, putting VPN users at risk.
