New Android VPN Vulnerability Enables VPN Bypass And Data Theft
The experiment has shown that vulnerability is not in the VPN connection but in Android itself. Being an internet security provider, it is our duty to update you regarding every new happening in the world of internet.
Israeli researchers from the Ben Gurion University (BGU) have recently discovered a flaw in Android that can help bypass VPN security and intercept communication in plain text.
One of the BGU members, Mr. Dudu Mimran, said:
“This vulnerability enables malicious apps to bypass active VPN configuration (no ROOT permissions required) and redirect secure data communications to a different network address. These communications are captured in CLEAR TEXT (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure.”
The team of researchers from BGU behind the discovery of this major security flaw in Android is the same that discovered a flaw with Samsung Knox few weeks later. Israeli researchers claim that the vulnerability allows a malicious app to bypass VPN configuration without requiring any specific root permission. The Vulnerability, if exploited, allows capturing data in plain text, thereby leaving the information completely vulnerable to be used in whatever way possible.
Researchers have examined the vulnerability on a number of Android Smartphone with multiple VPN providers and found the same result. Meanwhile, during the experiment, the researchers also found that traffic passing through an SSL/TLS connection can be captured, but still remains encrypted and not collected in plain text.
It is to be noted that the tests were conducted on a properly configured and well-reputed VPN provider on Wi-Fi hotspots. An attacker PC is then linked with the same Wi-Fi hotspot that targets the Android device and achieves the desired communication.
The Good News
The good news is that to exploit this vulnerability, a malicious app need to be installed, which diverts the VPN traffic. This was also tested by the CTO of BGU, Dudu Mirman. Mr. Mirman has shown that a special app has to be installed to cause the diversion of secure traffic. Hence, as responsible users of Android-based devices, we need to trust only authentic apps from Google Play Store and completely ignore those apps that look suspicious or offer something too good to be true!
Google has been already informed about the flaw by an email and we all are very eager to see any update regarding the vulnerability of Android VPN. Unfortunately, many days have passed and we are yet to see any response.
Android is a major step towards an ethical, user-controlled, free-software portable phone, but there are many unidentified apps at Google Play. Stay Away from them!
To further confirm the news and keep you guys posted on such vulnerabilities, PureVPN is running research experiments on its own. We will keep you updated with all the new developments on the internet privacy and security front. Till then, stay Blessed and Keep Smiling..
Have something to add to this story? Share it in the comments.