- A new study found hidden links between 21 VPNs among the most downloaded VPN applications on the Google Play Store
- VPN applications share security problems that could endanger users
- Some of these applications have also proven to have links not disclosed with Russia and China
The researchers discovered hidden links between nearly two dozen apparently independent VPN applications, raising questions about transparency and confidence.
The new academic study reveals three families of VPN customers who share code bases and infrastructure, despite their unrelated appearance in application stores.
The results indicate that shared security defects on virtual private network applications (VPN), which combined downloads of more than 700 million.
This lack of disclosure of 21 of the 100 VPN applications most downloaded in the Google Play Store gives consumers a false feeling of choice when downloading what they believe to be competing VPN services.
The results are driving a VPN market in which users count on suppliers to be transparent on their property and their operations to make an informed decision on which is the best VPN to trust their data.
Three families of hidden VPN applications
The newspaper, Hidden Links: analyzing secret families of VPN applications, selected the 100 most downloaded VPN applications on Google Play Store, reducing them to 50, some of which have already been found in links with Russia and China.
The authors, Benjamin Mixon-Baca (ASU / BreakPoining Bad), Jeffrey Knockel (Citizen Lab / Bowdoin College) and Jedidiah R. Crandall (Arizona State University), combined information from commercial deposits and Android Apks to identify the links between suppliers.
Three families of VPN suppliers have been identified:
- Family hasComposed of innovative connection, autumn breeze and lemon clove, has proven to be collectively responsible for eight VPN applications. This includes Turbo VPN, VPN Proxy Master and Snap VPN, all sharing code, libraries and almost identical assets.
- Family BComposed of mobile matrix, Foreraya technology and Wildlook Tech, among others, is responsible for VPNs, notably XY VPN, 3x VPN and Melon VPN. VPNs were linked by their use of the same protocols and obscures, and the sharing of IP VPN addresses.
- Family Cwhich consists of rapid and limited free potato, is behind the VPN of the rapid potato and the X-VPN, and shares the same implementation and the obscuscation of the proprietary protocol.
Shared defects and threats to VPN applications
Research has discovered several vulnerabilities that endanger user safety and confidentiality. More specifically, applications contained Shadowsocks Identification Information with Hard Code integrated into their APKs. With the same widely reused password, the attackers who extract them can decipher user traffic.
Researchers have identified several applications using obsolete or unsecured figures for appropriate IV Shadowsocks. For the less technical, this considerably reduces the effectiveness of encryption, opening the door to deciphering or other cryptographic attacks.
The three families of VPN applications also proved vulnerable to blind attacks on the way. This happens when an attacker on the same network – like public WiFi – infers information on active connections, even with the VPN tunneling in place.
Application stores do not correctly check VPN
The study emphasizes the limits of the App Store verification systems, which focus on detecting malicious software and violations of confidentiality, but do not check who is behind the software of a VPN or how it is built.
Despite the three VPN families identified in the study representing more than 700 million downloads, the Google Play Store processed each application as an independent product. Google failed to catch coordinated attempts to hide overlapping property and shared security defects.
Researchers recognize the challenges that application stores are faced with the verification of developers and the identification of vulnerable software, suggesting that the security audit badge for VPN applications is made compulsory and increasing the idea of an identity verification badge for developers.
Without verification measures to verify more strict applications, the same vulnerabilities discovered in the study will continue to spread without control, which will endanger VPN users.
