Researchers have uncovered deceptive practices among major VPN providers, linking seemingly independent entities into three distinct “families” with combined Google Play Store downloads exceeding 700 million.
By analyzing business filings, APK artifacts, and network communications, the team identified clusters of providers that obfuscate their common ownership, often claiming Singapore-based operations while tied to Chinese entities, including connections to sanctioned firms like Qihoo 360.
This lack of transparency not only erodes user trust but also correlates with widespread security vulnerabilities, such as shared cryptographic credentials that compromise data privacy.
Shared Flaws in VPN Ecosystems
The study builds on prior investigations by VPN Pro and the Tech Transparency Project, introducing novel methods like extracting hard-coded Shadowsocks passwords from APKs to decrypt traffic and confirm infrastructure sharing.
For instance, Family A encompassing providers like Innovative Connecting, Autumn Breeze, and Lemon Clove operates apps including Turbo VPN and VPN Proxy Master, which reuse code bases and servers, enabling attackers to freeload or enumerate additional endpoints.
Similarly, Families B and C exhibit code similarities, proprietary protocols, and protocol weaknesses that expose users to eavesdropping and connection inference attacks.
Delving into the technical details, the research highlights critical flaws in VPN protocols across these families, particularly in network-layer and application-layer implementations.
Network-layer VPNs, such as those using IPsec or OpenVPN, are prone to blind in/on-path attacks, where adversaries can infer or hijack connections without decrypting the tunnel, exploiting loose source address validation on mobile devices.
Implications for User Security
Application-layer proxies like Shadowsocks, prevalent in all analyzed families, suffer from deprecated ciphers (e.g., rc4-md5) that enable decryption oracles, allowing attackers to recover plaintext without integrity checks.
A particularly alarming discovery is the hard-coding of symmetric keys and passwords in APKs, as seen in Family A’s libopvpnutil.so library, which deterministically generates decryption keys based on the app’s package name.
This reuse permits any network eavesdropper to decrypt all client traffic using tools like Frida for dynamic analysis, with researchers demonstrating real-time decryption of encrypted streams.
Family B apps, reliant on libcore.so, select from 14 hard-coded passwords across shared servers hosted by GlobalTeleHost Corp., facilitating cross-provider infrastructure abuse.
Even Family C’s custom tunneling over port 53 (masquerading as DNS) incorporates libredsocks.so dependencies that invite client-side blind attacks via Android’s Netfilter framework.
These shared defects indicate not just ownership deception but systemic security negligence, affecting over 972 million downloads across 21 apps.
The implications are profound: users trusting these VPNs for privacy may inadvertently expose sensitive data to interception, especially in adversarial networks like public Wi-Fi.
Researchers recommend enhanced forensic signals for clustering, such as cryptographic credential matching, and urge providers to adopt non-hard-coded keys and robust encryption like AEAD ciphers.
As VPN adoption surges amid rising cyber threats, this study underscores the need for regulatory scrutiny of ownership transparency and protocol integrity to safeguard global users.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
