A serious new warning has been issued for Android users to check for a “very dangerous” app that has now been installed 100 million times. In the past, the app has been accused of hiding malicious spyware. Now it has been implicated in a data breach that impacts millions of users. If it’s on your phone, delete it immediately.
New "very dangerous" app warning impacts millions of Android users.getty
So, here we go again. An app that promises to “protect your privacy and keep you safe” has been found to be doing the exact opposite. And this isn’t the first time it has been flagged as “very dangerous.” Last year, one technical reviewer warned that “it raises so many red flags, it's impossible to recommend for even the simplest of tasks.”
We are talking about SuperVPN, of course, a suite of free and paid apps that prompted two separate security warnings last year. First, VPNpro warned that “more than 105 million people could have their credit card details stolen, their private photos and videos sold online and their private conversations recorded.” And, just a few weeks later, that the app “allows hackers to intercept communications between the user and the provider, and even redirect users to a hacker’s malicious server.”
VPNs are intended to create a secure tunnel between your device and the internet, routing your traffic through the VPN’s server to disguise your location and your online activity. Such apps have become much more popular in recent years, with greater awareness of privacy and security, as well as protests around the world. But, as with all apps, you need to take care before you select one to install on your phone.
On Friday, the research team at CyberNews warned that “a user on a popular hacker forum is selling three databases that purportedly contain user credentials and device data stolen from three different Android VPN services... SuperVPN, considered as one of the most popular (and dangerous) VPNs on Google Play with 100 million installs, as well as GeckoVPN (10 million installs) and ChatVPN (50,000 installs).
MORE FOR YOU
According to CyberNews, the breach contained details of some 21 million users, with data that includes names, email addresses and usernames; payment data and even device details. The researchers also claim that the breach includes access logs—with IP addresses collected when users log into the service. Putting malware and breached data aside, collecting location data logs is a major red flag for a VPN.
CyberNews only reviewed a sample of the breached data that has been put up for sale. “Not all data has been shared,” the research team told me, “but from the sample data we can see that at least devices are being logged and assigned by what devices every user uses, with not only device type but IMSI numbers etc.”
SuperVPNGoogle Play Store
Check your phone for the app, and if you find it, delete it. “It’s also worth mentioning,” CyberNews told me, “that there are at least six other apps similar to SuperVPN, with identical descriptions and logos from different creators on Google Play store.”
If you want to install a VPN, you need to select one from a well known developer, where you have checked out reviews (outside Play Store) to confirm there are no obvious issues. You also need to avoid free apps—they’re free for a reason. Last year, VPNpro examined the top-ten free VPNs on Play Store and found that those “very dangerous” apps all have “critical vulnerabilities.” All ten apps, it reported, also had encryption shortfalls, undermining their value as VPNs, regardless of any other issues.
“In our tests,” VPNpro said of SuperVPN at the time, “we noticed that it connects with multiple hosts, with some communications being sent via unsecured HTTP. This contained encrypted data. But after more digging, we found that this communication actually contained the key needed to decrypt the information.”
SuperVPNGoogle Play Store
Last year, VPNpro said that it is “surprised Google allows such a major app with at least 100 million installs to remain on the Play store with such a glaring vulnerability.” SuperVPN’s free app was removed from Play Store by Google in April last year. Now, though, it has returned. Android users beware—according to CyberNews, the best advice for users is to “delete their account and switch to a reputable VPN provider.”
It’s hard to understand how SuperVPN has managed to get back onto Play Store given its past history—I have asked Google for its reasoning. I also asked the developer behind SuperVPN for comments ahead of publishing. But, having done the same twice before, and with no response either time, I doubt I will be updating this story.
Warnings about SuperVPN date back to 2016, but the app continues to thrive. Perhaps because it has also been accused of manipulating Play Store search results. “Any app that can get within the top ten search results,” VPNpro says, “will get large numbers of installs and users, as well as significant revenue from subscription fees or ads.” And now, with this new report, the alarming issues with SuperVPN continue to stack up.
You have been warned.