Google had to pull down an Android VPN from the Play Store with more than 100 million installs because users urged its removal. It was deleted because a serious vulnerability was discovered in it.
VPN or Virtual Private Network is a secured network that allows users to create encrypted connections that hide their IP address and serve as their gateway to the Internet through online servers. VPN acts as a safety tunnel for internet users and allows them to remain secured when using untrusted public and local connections. SuperVPN was one of those VPNs that was supposed to maintain a secure network to stop the intruders and cyber-attacks. However, it was claimed that the SuperVPN app with over 100 million installs, enabled intruders to insert themselves between the VPN service and the user. It was a critical vulnerability and was taken down by Google from the Google Play Store.
The vulnerability in SuperVPN was discovered in October 2019 by VPNPro and was reported to Google in February 2020. It was discovered that SuperVPN as open to all man-in-the-middle (MITM) attacks. It was found by VPNPro that it allowed the cyber attackers and malicious users to obstruct all the communications between the SuperVPN and the users using it. This meant that all the activities of the users were visible to the hackers and attackers which can be redirected to malicious servers. It was a serious flaw in SuperVPN that urged all the users to delete the app as it was not secured anymore and could not be relied on for communications.
VPNPro, a competing VPN service and a company that reviews VPN products, conducted research that claimed millions of users were exposed to data leakage and cyber risks. They could have their images leaked, personal or confidential conversations recorded and bank details stolen by using SuperVPN. It was all possible because of the unsecured communication of SuperVPN that contained the encrypted data and the keys to decrypt it as well.
In simple words, SuperVPN, instead of providing users extra security and privacy, gave them lesser security and privacy than the non-VPN users. It was sending all the encrypted data along with its decryption key according to the review of VPNPro. An attacker could easily connect the user to a fake server. This would have revealed all the data of the users that involved confidential information such as password, login credentials, and conversations. The data decryption revealed the certificates, authentication credentials along with all the information of SuperVPN’s server. VPNPro replaced that data from its own data.
The developer of SuperVPN was SuperSoft Tech, based in Beijing, China. After VPNPro discovered this serious vulnerability of SuperVPN in October 2019, it notified the developer who did not respond. Then VPNPro brought this matter into the notice of GPSRP (Google Play Security Reward Program). The team of Google Play Store also tried to contact with SuperSoft Tech but could not get a response either. Therefore, this VPN service with more than 100 million users was removed from the Play Store by GPSRP on 7th April 2020.
SuperVPN was previously also marked for its vulnerability in 2016 in a research paper about risks in Android VPN services. However, it is not the only VPN to be identified to have critical vulnerabilities. Several VPNs have been identified and raised by VPNPro, but some of them are still available on Google Play Store for installing.