A VPN with more than 100 million installs has been removed from the Google Play Store. And if you have it on your Android phone, you should delete it right now.
According to VPNPro, SuperVPN, a free VPN client, is “an amazingly dangerous” app. The problem? It has critical vulnerabilities that allow for man-in-the-middle attacks. And that means that hackers can easily intercept communications and redirect users to a hacker’s server instead of the real thing.
As reported by TechRadar, VPNPro had reached out to Google as part of its Google Play Security Reward Program on March 19, and at that time the company had validated the vulnerability.
Unfortunately, neither Google nor VPNPro was able to reach the developer, SuperSoftTech, in order to patch the issue. Google then removed the SuperVPN altogether on April 7 from the Google Play Store.
To put the popularity of SuperVPN in perspective, it has about the same number of installs as Tinder.
Why SuperVPN is so dangerous
The analysis of the SuperVPN app found multiple troubling issues. For instance, on one of the multiple SuperVPN hosts, the package or payload of data being sent from the app “contained the key needed to decrypt the information.”
This vulnerability allowed VPNPro to replace the SuperVPN server data with its own server data. Another big no-no is that some data was being sent via unsecured HTTP, which is unencrypted. That means anyone sniffing can read your communications.
Apparently, SuperVPN had already been named the third-most malware-rigged app in 2016 in an Australian research article, but the app continued to grow in popularity. This was accomplished via such blackout SEO tricks as generating a large amount of fake reviews.
There is a SuperVPN app listed in the Apple App Store that's still available as of this writing that has "cheng cheng" listed as its developer. But it's not clear whether it has the same vulnerabilities as the Android version. Regardless, we would be wary of downloading it.