A comprehensive security analysis has revealed alarming vulnerabilities affecting over 700 million users across multiple VPN applications, exposing critical flaws that compromise the very privacy and security these services promise to protect.
Research conducted by cybersecurity experts from Arizona State University, Citizen Lab, and Bowdoin College has uncovered three distinct families of VPN providers that share not only common ownership but also dangerous security weaknesses that render user communications vulnerable to interception and decryption.
The investigation identified deceptive practices among seemingly independent VPN providers who deliberately obscure their ownership while sharing identical cryptographic credentials and server infrastructure.
.webp "New Research Uncovers Connection Between VPN Apps and Multiple Security Vulnerabilities 3")
These providers, operating under names such as Innovative Connecting, Autumn Breeze, and Lemon Clove, collectively distribute applications including Turbo VPN, VPN Proxy Master, and Snap VPN, among others.
The research reveals that these apps contain hard-coded Shadowsocks passwords that enable attackers to decrypt all user traffic transmitted through their networks.
Following extensive analysis of application binaries and network communications, Petsymposium analysts identified that the security flaws stem from fundamental implementation errors in how these VPN applications handle cryptographic materials.
.webp "New Research Uncovers Connection Between VPN Apps and Multiple Security Vulnerabilities 4")
The most critical vulnerability involves hard-coded symmetric encryption keys embedded directly within the application code, stored in files such as assets/server_offline.ser and encrypted using AES-192-ECB.
When VPN clients establish connections, they utilize a native function NativeUtils.getLocalCipherKey implemented in the shared library libopvpnutil.so to deterministically generate decryption keys.
The technical analysis revealed that these applications employ deprecated Shadowsocks configurations using the vulnerable rc4-md5 cipher suite, which lacks proper integrity checks and enables decryption oracle attacks.
Network traffic analysis demonstrated that attackers possessing these hard-coded credentials can successfully decrypt user communications in real-time, where Shadowsocks passwords are visible in both runtime traces and memory dumps.
Infection Mechanism and Credential Sharing Architecture
The vulnerability exploitation mechanism centers on the shared cryptographic infrastructure across supposedly distinct VPN providers.
Each affected application contains identical configuration files and shared libraries that reference multiple VPN applications within their code structure.
The libopvpnutil.so library contains explicit references to various VPN package names, including free.vpn.unblock.proxy.turbovpn, free.vpn.unblock.proxy.vpnmaster, and free.vpn.unblock.proxy.vpnmonster, indicating coordinated development and deployment across the provider network.
When users connect to these VPN services, the applications attempt to download remote configuration files before falling back to the embedded hard-coded credentials stored in server_offline.ser.
This design enables attackers to enumerate additional VPN servers by testing the extracted passwords against IP addresses within the same network ranges, effectively mapping the entire infrastructure operated by these deceptive providers.
The shared credential system also allows unauthorized access to VPN services, enabling attackers to establish unauthorized tunnels using the extracted Shadowsocks parameters from any affected application.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
