- A new study has found hidden connections between 21 VPNs among the most downloaded VPN -Apps in Google Play Store
- VPN -Apps share security issues that can put users at risk
- Some of these apps have also been shown to have not revealed ties with Russia and China
Researchers have revealed hidden connections between nearly two dozen seemingly independent VPN apps and raising questions about transparency and trust.
The new academic study reveals three families of VPN clients who share code bases and infrastructure, despite being shown not related in app stores.
The results point to shared security errors across the virtual private networks apps (VPN) that have combined downloads of over 700 million.
This lack of detection from 21 of the 100 most downloaded VPN apps in the Google Play store gives consumers a false sense of choice when downloading what they think compete VPN services.
The results muddy a VPN marketplace where users rely on providers are transparent over their ownership and operations to make an informed decision on what is the best VPN to trust with their data.
Three hidden VPN -App families
The paper, hidden links: Analysis of secret families of VPN apps, chose the 100 most downloaded VPN apps in the Google Play Store, narrowed them to 50, some of which have already proven to have ties with Russia and China.
The authors, Benjamin Mixon-Baca (ASU/Breakpointing Bad), Jeffrey Knockel (Citizen Lab/Bowdoin College) and Jedidiah R. Crandall (Arizona State University), combined information from business archives and Android APKs to identify relations between providers.
Three families of VPN providers were identified:
- Family aConsisting of innovative connection, autumn breeze and lemon carnation, proved to be collectively responsible for eight VPN apps. This includes Turbo VPN, VPN Proxy Master and Snap VPN, all of which share almost identical code, libraries and assets.
- Family B.Composed of Matrix Mobile, Foreraya Technology and Wildlook Tech, are responsible for VPNs, including XY VPN, 3x VPN and Melon VPN. The VPNs were attached through their use of the same protocols and clearing and sharing of VPN IP addresses.
- Family C.It consists of fast potato and free connected limited, stands behind Fixed Potato VPN and X-VPN and shares the same proprietary protocol implementation and veiling.
Shared deficiencies and threats across VPN -Apps
The research discovered several vulnerabilities that put user security and privacy at risk. Specifically, apps contained hard-coded Shadowsocks credentials embedded in their APKs. With the same password recycled broadly, attackers can extract these can decrypt user traffic.
Researchers identified several apps that use outdated or unsafe chiffer to shadowsocks without proper IV protection. For the smaller techie out there, this is significantly reducing the efficiency of the encryption, opens the door to decryption or other cryptographic attacks.
All three families of VPN apps also proved to be vulnerable to blind on-sti attacks. This happens when an attacker on the same network – such as public WiFi – provides information on active connections, even with VPN tunneling in place.
App -stores don’t vetter veting vpns
The study emphasizes the limitations of the App Store verification systems that focus on violation of malware detection and violation of privacy, but do not check who is behind a VPN software or how it is built.
Despite the three VPN families identified in the survey that account for more than 700 million downloads, Google Play Store treated each app as an independent product. Google could not capture coordinated attempts to hide overlapping ownership and shared security errors.
The researchers recognize the Challenge app stores in Vetting developers and identify vulnerable software, suggesting that the security audit emblem for VPN apps becomes mandatory and raises the idea of an identity verification emblem for developers.
Without stricter appverification measures, the same vulnerabilities that are uncovered in the study will continue to spread uncontrolled, putting VPN users at risk.
