​No free lunch with free Android VPN apps, CSIRO finds

If you installed a free Android VPN app to view geo-blocked content on your phone, there’s a high chance it was harboring malware, according to new research.

A VPN, or virtual private network, on your PC should provide additional security and privacy by tunneling encrypted traffic between your device and an intermediary server that connects to the website you want to reach. Outsiders who want to track you on the web would merely see the server of your VPN provider. This can boost security, assuming your VPN provider is trustworthy.

However, many Android apps that promote VPN functionality on Google's Play Store don't live up to their promise, according to research by computer scientists at UNSW, the University of California Berkeley, and Data 61, a research unit in Australia’s CSIRO that announced the research on Tuesday. Not only this, many of these apps also contain malware.

The project looked at 293 Android VPN apps and found that 75 percent contained an ad-tracking modules. Additionally, 38 percent probably contained malware, as defined by the Google’s crowd-sourced malware classification service, VirusTotal. All of these apps had at least a four-star rating on Google Play, suggesting an app’s reputation isn’t necessarily a great indicator for the security of apps.

“We analyze the public user reviews available on Google Play for all the VPN apps to sense whether their users are aware of possible malicious activities in their apps. Our analysis reveals that only a marginal number of VPN users have publicly raised any security and privacy concerns in their app reviews.

The researchers however singled out a subset of 4 percent of analysed malware that, based on VirusTotal ratings, were most likely either adware or a trojan. These included OkVPN, EasyVPN, SuperVPN, Betternet, CrossVPN, Archie VPN, Hat VPN, sFly Network Booster, OneClick VPN, and Fast Secure Payment.

The research also found that 16 percent of the apps were likely to have forwarded traffic through other users rather than through a cloud-hosted server maintained by the provider. It also notes that “18% of the apps do not mention the entity hosting the terminating VPN server.” The same proportion implemented ran the VPN service without encryption, which was worse when looking at IPv6 traffic.

“Approximately 84% and 66% of the analyzed VPN apps do not tunnel IPv6 and DNS traffic through the tunnel interface respectively due to lack of IPv6 support, misconfigurations or developer-induced errors. Both the lack of strong encryption and traffic leakages can ease online tracking activities performed by in-path middleboxes (e.g., commercial WiFi access points harvesting user’s data) and by surveillance agencies.”

Though VPN apps are a fraction of the 1.4 million Android apps available on Google Play at the time of the study, 16 percent of the VPN apps were downloaded by at least one millions users.

All the VPNs apps request a service on Android called BIND_VPN_SERVICE, which utilizes a VPN feature Google built into its mobile OS in 2011. While the service can be employed to help users stay anonymous online, it can also be abused to harvest private information from mobile devices. The researchers note the Android VPN service coincided with a 10-fold increase in the adoption of the functionality over the following two years.


Sorting out your calendar for the year?

Register your seat at this years CSO Perspectives Roadshow 2017

- Held in a city near you | Across 6 cities with 20 exhibitors and star studded speaker line up including Mark Loveless 'Simple Nomad', Jeff Lanza, former FBI Agent, exclusive speakers from Interpol and a former ex-Lulzsec member, along with 15 top level Industry speakers per state - view speakers now for lineup.

Dont miss out! Register now and save your seat

Tags CSIROmalwareAndroidinsider threatsandroid malwareGoogle PlayVPN apps

Show Comments