Google has confirmed that SuperVPN, which has 100 million installs, has a vulnerability that allows for a critical MITM attack. On April 7, it was finally removed from the Google Play store.
SuperVPN Free VPN Client is an amazingly successful free VPN Android app. It has more than 100 million installs on the Play store, having started from only 10,000 installs nearly four years ago.
Unfortunately, it’s also an amazingly dangerous free VPN Android app. Our research has shown that it has critical vulnerabilities that allow for man-in-the-middle (MITM) attacks that can easily allow hackers to intercept communications between the user and the provider, and even redirect users to a hacker’s malicious server instead of the real VPN server.
Recently, Google confirmed to us that this vulnerability still exists. We disclosed the finding through the Google Play Security Reward Program (GPSRP) because we have been unable to contact SuperVPN’s developer, SuperSoftTech. GPSRP allows security analysts to disclose vulnerabilities for apps with more than 100 million installs.
On March 19, the Google team confirmed to us that the vulnerability was still present in the latest version of Super VPN:
We worked with Google to contact SuperSoftTech so that they could address the issue and hopefully patch it. Unfortunately, this proved impossible, and on April 7, Google removed the SuperVPN app from Google Play.
However, users with SuperVPN installed are currently still susceptible and should delete the app immediately.
SuperVPN’s critical vulnerability affecting 100 million users
When you search for the “vpn” keyword in Play store’s search bar, you’ll see SuperVPN in the top 5 results. According to Google Play, the app has been downloaded at least 100 million times. In January 2019, it had only 50 million installs.
Just for comparison, SuperVPN currently has roughly the same number of installs as Tinder and AliExpress. If you can imagine all the people you know who have Tinder, that’s roughly the same number of people who have SuperVPN installed on their phone.
When we analyzed the app, we discovered that SuperVPN connects with multiple hosts. On one of these hosts, we discovered that a package (payload) was being sent from the app via unsecured HTTP. This payload held encrypted and encoded data, and the backend infrastructure then responded with a similar payload.
After more digging, we found that the payload actually contained the key needed to decrypt the information. After decrypting and decoding this data, we found it contained sensitive server information, its certificates, and the credentials that the VPN server needs for authentication. Once we had this information, we replaced the real SuperVPN server data with our own server data.
Analysis summary for SuperVPN:
In testing SuperVPN, we discovered the following:
- Connections using plain HTTP isn’t forbidden: HTTP traffic is unencrypted, so anyone sniffing will be able to read your communications. Sending sensitive data over HTTP is highly unsecured, and this should be forbidden by the app developer.
- The payload is obfuscated: This is the good news – the information that’s transferred between the user’s app and the backend is encrypted.
- Hardcoded encryption keys found within an app: This is the bad news – while the information is encrypted, the keys to decrypt that information is found within the app.
- Payload includes EAP credentials: VPNs use EAP credentials so that users outside the app won’t be able to connect to the same VPN server. However, by sending EAP credentials in an unencrypted payload, or an easily-encrypted payload, it defeats the purpose of the EAP credentials.
SuperVPN’s confusing ownership and location
At VPNpro, we’ve actually seen SuperVPN and its developer SuperSoftTech before in our research on the hidden owners of popular VPN apps. We discovered that the real app developer uses many techniques in an apparent attempt to hide who actually owns and develops this app.
While SuperSoftTech claims to be based in Singapore, it actually belongs to the independent app publisher Jinrong Zheng, a Chinese national likely based in Beijing. Earlier versions of the app lists this person as the app developer:
When searching for the email address listed in SuperVPN’s Play listing, another page lists the app’s location to be in the Haidian District in Beijing.
You’ll also find that the email address is connected to Shenyang Yiyuansu Network Technology, which is the app developer listed for the Apple App Store version of SuperVPN.
It gets better: Another app on Play, LinkVPN Free VPN Proxy, is supposedly developed by FuryWeb Tech, but is actually another of Zheng’s products. This time, however, FuryWebTech lists its address as being in Hong Kong.
To make matters worse, SuperVPN had been named before in 2016 in an Australian research article [pdf]. There, it was listed as the third-most malware-rigged VPN app.
At that point, it had only 10,000 installs. That means that, in the last four years, an obviously-vulnerable app has been allowed to remain in the Play store and put another 99,990,000 people at risk.
SuperVPN’s blackhat SEO tricks
So you might be wondering how a critically vulnerable app from a shady (possibly) Chinese developer is able to get 100 million installs in a span of 3 years? In a previous research on how free VPNs are suspiciously ranking highly on the Play store, we found the answer.
But it probably won’t surprise you at this point: with some more shady stuff. Specifically, through using possible blackhat SEO (or rather ASO – App Store Optimization) to boost its rankings and get more and more installs.
The playbook for SuperVPN’s blackhat tricks is pretty simple actually:
- Use a huge amount of fake reviews: the top 10 apps for the keyword “vpn” have fewer words per review, more duplicate reviews, and more reviews from hidden users. For example, SuperVPN had 10,000 reviews that had 1-4 words, while market leaders like IPVanish had less than 100 reviews with 1-4 words.
- Generate blackhat backlinks to boost its backlink profile, regardless of topic relevance. Our analysis showed that 36 of 100 sample backlinks to SuperVPN’s Play page came from pages not related to VPNs, technology, privacy or security.
It appears that these simple blackhat techniques have helped propel SuperVPN to the top of Google Play’s rankings.
SuperVPN used a wide range of shady techniques to help it rank highly in Google, as well as to hide who actually owns the app, where it’s located, and the other apps from the same developer that may have similar issues.
But lastly, and most importantly, it seems that the entire time the app was on the Play store, it had critical vulnerabilities in one way or another, either by being a vehicle for malware in 2016, or allowing for MITM attacks just before being removed.
The only thing unclear now is whether these vulnerabilities are due to mistake, or intention.
Nonetheless, there are millions of users right now with a dangerous app on their phone. If you’re one of those users, we implore you to delete SuperVPN immediately.