Viruses, Spyware Found in 'Alarming' Number of Android VPN Apps (abc.net.au)

← Back to Stories (view on slashdot.org)

Viruses, Spyware Found in 'Alarming' Number of Android VPN Apps (abc.net.au)

Posted by msmash on Wednesday January 25, 2017 @04:00AM from the privacy-woes dept.

When the Federal Court blocked access to file-sharing websites like The Pirate Bay last December, VPN (Virtual Private Network) providers reported a surge in subscription rates. Australian company Vanished VPN said its subscription rates had doubled in the past six months and VPN Unlimited said it had seen a 12.5 percent monthly jump since the court's decision. People were using VPN services to access the blocked sites because they masked their location -- allowing users to get around any website blocks or restrictions. But if you're one of those people, you might want to take a closer look at the service you're using -- especially if you've got an Android device. From a report: A team from CSIRO's Data 61, University of NSW and UC Berkley in the US found a whole bunch of Android VPN apps contain viruses, spyware and other adware. Researchers analyzed the apps available for Android to look for nasties like trojans, spyware and adware -- giving each an "anti-virus rank (AV)" based on what they found. The lower the rank, the better. They found of the 283 apps they analyzed, 38 percent contained malware or malvertising (malicious advertising containing viruses).

52 comments

Min score:

Reason:

Sort:

Built in VPN client by Anonymous Coward · 2017-01-25 04:03 · Score: 5, Interesting

So why don't people just use the built in VPN client?
1. Re:Built in VPN client by DickBreath · 2017-01-25 04:17 · Score: 4, Informative
  
  Yes! That!
  
  How to Use Android’s Wi-Fi Assistant to Safely Connect to Public Wi-Fi Networks (and Save Data)
  
  There is no need for a third party VPN app. Just use the Google managed VPN in Android. This can be used automatically when you use a public WiFi hotspot.
  
  Manager: how do you measure leadership?
  Tech: with a suitably designed test instrument.
  
  --
  
  I'll see your senator, and I'll raise you two judges.
2. Re:Built in VPN client by Anonymous Coward · 2017-01-25 04:33 · Score: 0
  
  nowtogeek this is no for " geeks ")
  besides why use android for torrent?
3. Re:Built in VPN client by Anonymous Coward · 2017-01-25 04:44 · Score: 0
  
  Not everyone is blessed by El Goog:
  https://support.google.com/nexus/answer/6327199?hl=en#where_it_works
4. Re:Built in VPN client by arielCo · 2017-01-25 04:54 · Score: 1
  
  Because the mal-service providers don't use standard VPN protocols - their service, their app.
  
  --
  This post contains no rudeness or derision of any kind. All arguments are friendly. Terms and exclusions may apply.
5. Re:Built in VPN client by Anonymous Coward · 2017-01-25 05:03 · Score: 2, Insightful
  
  What the article fails to mention is that all those "VPN" apps offer the VPN connection for free, something I think most of slashdot would not assume. And of course, they're certainly not doing it for free out of the goodness of their hearts...
6. Re:Built in VPN client by fuzzyfuzzyfungus · 2017-01-25 05:05 · Score: 3, Interesting
  
  Which is, of course, the second(and perhaps larger) problem in this case:
  
  A VPN is a wonderful thing in terms of keeping undesirables out of the traffic between the endpoint device and the VPN provider(with some limited exceptions involving faulty implementation, obsolete protocols, or sneaky traffic analysis of unpadded VPN links); but whoever is terminating the VPN for you is a very, very, trusted party.
  
  If your provider is so sleazy that there is malware in the client you are definitely screwed; but even if the client is clean, they unavoidably see all the traffic sent over the VPN link; and you usually only bother with a VPN because either some of your applications don't encrypt their traffic properly; or because you don't want to reveal to the local wifi hotspot operator what hosts you are communicating with. If the VPN operator is shady; all you've done is add some latency and computational overhead in order to allow a different malicious party to watch your network traffic(and potentially modify it). Even better, while wifi hotspots are managed by zillions of different people and companies, making it somewhat harder to aggregate tracking data for a given user across all the APs they use; you voluntarily connect to your VPN provider; so they get all your traffic no matter where you are.
  
  Honestly, given the numerous alarming things you can do when you are a man-in-the-middle; I'm a bit surprised that adding local malware(and thus substantially increasing the risk of detection) was seen as a good strategy. If I were running an evil VPN I'd want my client(which pesky AV companies or security researchers might well download and inspect) to be squeaky clean and standard; basically just an idiot-proof wrapper around the system provided VPN protocols; and instead load up the malice, ad/malware injection, etc. on the server side.
7. Re:Built in VPN client by tlhIngan · 2017-01-25 05:21 · Score: 4, Insightful
  
  So why don't people just use the built in VPN client?
  Because there may be hundreds of different servers you can connect to?
  My VPN provider (IPVanish) has servers in many different countries, and in the larger ones, they often have 3-4 in various geographic regions. This results in a list of 300-400 servers. So they have an app that helps you manage the list - you log in, pick a server and the app goes and installs a configuration to use the native (they support LLTP, PPTP and OpenVPN) VPN client with the desired server.
  So their app really helps pre-configure the built in client with whatever server you want (helpful if you want to use Netflix or Hulu, since a few of their servers aren't blocked).
  Yes, you can do it yourself, since they give you a list on their webpage, but it's a pain.
8. Re:Built in VPN client by thygate · 2017-01-25 05:53 · Score: 1
  
  mod parent up
9. Re:Built in VPN client by Anonymous Coward · 2017-01-25 06:08 · Score: 0
  
  a lot of sites with free lists ip adres from vrn
10. Re:Built in VPN client by Ol+Olsoc · 2017-01-25 07:57 · Score: 1
  
  Because it is fake. The way we know that things are fake is that we see them on teh computer screen.
  and everything I say or write is a lie.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
11. Re:Built in VPN client by Anonymous Coward · 2017-01-25 09:36 · Score: 0
  
  For some reason, my workplace's Cisco ASA does not work with Android's VPN client (works fine with iOS devices, just not Android). Pushed routes were ignored. I gave up on it and used an OpenVPN setup instead.
12. Re: Built in VPN client by Anonymous Coward · 2017-01-25 10:55 · Score: 0
  
  Which doesn't do vpn over 3g/lte !!!
13. Re:Built in VPN client by unrtst · 2017-01-25 11:16 · Score: 1
  
  AFAICT, the Wi-Fi assistant is only available on android 5.1 nexus devices (ex. galaxy S6 has no support for it).
14. Re:Built in VPN client by Anonymous Coward · 2017-01-25 11:59 · Score: 0
  
  It's a pain in the ass to turn off and on. Most people using VPNs are not using them full time (which the built in VPN support is good for), they are selectively using them to get around Geo-blocks or ISP restrictions for certain sites. And a lot of VPN providers have tiered pricing that makes this usage pattern more attractive.
15. Re:Built in VPN client by Anonymous Coward · 2017-01-25 16:15 · Score: 0
  
  why use android for torrent?
  Not everyone is a media hoarder. Some people download a weeks worth of media at a time and simply delete it when they have viewed it once or twice. How frequently do you view some media that has been in your collection more than 6 months?
Google Play Store vs. F-Droid by Anonymous Coward · 2017-01-25 04:20 · Score: 0

How many of the 38% can be found in the Play Store and how many can be found in F-Droid?
There's always OpenVPN by mnslinky · 2017-01-25 04:36 · Score: 4, Informative

OpenVPN has clients for both iOS and Android. The Android client source is open, allowing for code review. Unfortunately, due to NDA with Apple, the iOS source isn't as open, but it is written by the same people that write the open source OpenVPN code.
1. Re:There's always OpenVPN by thegarbz · 2017-01-25 05:27 · Score: 1
  
  That depends on the service doesn't it. OpenVPN is a client / server. Whether or not you can use it for your service is an entirely different question.
2. Re:There's always OpenVPN by mnslinky · 2017-01-25 08:11 · Score: 1
  
  I failed in my original post to plug my books about OpenVPN:
  * Mastering OpenVPN: https://www.packtpub.com/netwo...
  * Troubleshooting OpenVPN: https://www.packtpub.com/netwo...
Question - Good android Virus\Spyware scanner? by Anonymous Coward · 2017-01-25 05:02 · Score: 0

Question - Good android Virus\Spyware scanner?
why would they by Anonymous Coward · 2017-01-25 05:08 · Score: 0

they can litterally watch data(depending) and all connections if they wanted and log them. any apps can have malware its about trusting the source in this case google which tries to mitigate that sort of thing.
1. Re:why would they by Anonymous Coward · 2017-01-25 05:14 · Score: 0
  
  litterally [lit-er-uh-lee] adverb
  1. Objects strewn or scattered about without exaggeration or inaccuracy.
  2. A number of young bought forth by a multiparous animal at one birth in the strictest and most direct of senses.
2. Re: why would they by Anonymous Coward · 2017-01-25 05:32 · Score: 0
  
  thanks dad
Simplify by Anonymous Coward · 2017-01-25 05:12 · Score: 0

Maybe we should all just go back to hardwired landline phones, answering machines, and writing letters on actual paper and mailing them. All this shit is so out of control, and it's a perpetual game of Whac-A-Mole trying to secure it all, a game we'll never win.

Email that's 95% SPAM.. overengineered webpages.. constantly having one screen or another in front of your face.. continual sensory overload.. fake 'online friends' you'll never meet.. so-called 'social media' that claims to 'bring people together' when all it does is give us an excuse to not practice our actual social skills, instead staying away from people.. disregarding the Social Contract entirely, becoming like mean-spirited, spoilled-brat children online, being shitty to people -- then having that Bad Behavior spill over into what little actual, in-real-life social contact you have, so we're shitty to everyone, everywhere, all the time.. rush, rush, rush everywhere.. isn't it enough already? Is all this gods-be-damned tech actually making our lives better, or is it just distracting us from the real problems, just being the Shiny Thing that makes us forget the important things? Can't we just forget all this crap, actually connect, and come back to the reality that we're actual, social creatures, and that we need to be nice to each other?

Oh, forget it. I know nobody gives a damn anymore.
1. Re: Simplify by Anonymous Coward · 2017-01-25 05:40 · Score: 0
  
  remember when life was simpler. when we would help each other get the bugs out of our hair or if we we fizzled throw poo and pound our fists in the ground and our chests. we would hunt and gather and the women would clean and cook. remember remember berry.
2. Re: Simplify by Anonymous Coward · 2017-01-25 06:58 · Score: 0
  
  And you're exactly the sort of jerk he's talking about. Kill yourself.
3. Re:Simplify by Anonymous Coward · 2017-01-25 12:46 · Score: 0
  
  GET OFF MY LAWN!
4. Re:Simplify by AHuxley · 2017-01-25 15:07 · Score: 1
  
  Get a VPN in the only router that can see the internet. Every packet in and out gets wifi VPN. Or ethernet VPN on the desktop.
  Any OS or app can then do what it wants. Any media layer, javascript, hidden peer-to-peer connection it all gets VPN.
  
  --
  Domestic spying is now "Benign Information Gathering"
Link to Paper by InfectedPacket · 2017-01-25 05:18 · Score: 5, Informative

Link to the original paper instead of a news article: An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps

--
@cyberrecce
Source of the apps by Somebody+Is+Using+My · 2017-01-25 05:30 · Score: 1

The article is not very clear as to from where these VPN apps are being downloaded.
Are these (or were these) apps available on Google's/Android's native App store, or did the user have to enable a third-party repository to get these programs?
If the former, this is a fairly serious indictment of Google's policies, which should not only check to see if publishers are loading up their apps with spyware/trojans, but also determine a basic fitness test on the program (does it actually do what they say it does)? This is the whole point of using a curated market and if Google isn't even performing this sort of basic filtering, then they have seriously dropped the ball.
If the users are downloading from an unvetted third-party repository, well... there is a reason Google warns against this. There are some trusted third-party markets, but if a vendor asks you to allow their repository, it should immediately raise red flags and make you look more closely at their offerings.
1. Re:Source of the apps by GuB-42 · 2017-01-25 06:05 · Score: 2
  
  The study was done on Google Play apps. The worst offenders were removed from the Play Store during the study.
  It isn't explicit what counts as "malware", but for the look of it, beside a couple of apps (from the removed ones), it looks more like obnoxious ads.
  Maybe more concerning than malware is the lack of security. Some apps don't even encrypt traffic.
Always use OpenVPN by Kludge · 2017-01-25 06:04 · Score: 4, Insightful

If your VPN service provider does not support OpenVPN, GET ANOTHER SERVICE PROVIDER.
There is no excuse for not supporting OpenVPN in this day and age.
1. Re:Always use OpenVPN by Anonymous Coward · 2017-01-25 06:17 · Score: 0
  
  OpenVPN is one of the few services I actively block on all firewalls. Crappy vpn providers are a problem but OpenVPN is never the answer.
2. Re:Always use OpenVPN by b0bby · 2017-01-25 07:01 · Score: 2
  
  As far as I am aware, OpenVPN is secure and can be open source on both servers and clients. I use it regularly and find it works well. What is your objection to it?
3. Re:Always use OpenVPN by allo · 2017-01-25 07:52 · Score: 1
  
  two things:
  1) There are possiblities around this. Changing ports, using tcp instead of udp, and even some proprietary solutions, faking https and so on.
  2) You do not neccesarily need to use openvpn. But if your provider doesn't offer openvpn, its no serious provider.
4. Re:Always use OpenVPN by thegarbz · 2017-01-25 11:27 · Score: 1
  
  There is no excuse for not supporting OpenVPN in this day and age.
  This day and age? What day and age is that? The day and age of telemetry? The day and age of custom protocols? The day and age of vendor lockin?
  I agree, I do have OpenVPN through my provider, but they didn't provide the config for it. That was a mission in user unfriendliness.
5. Re:Always use OpenVPN by thegarbz · 2017-01-25 11:28 · Score: 1
  
  China is that you?
6. Re:Always use OpenVPN by Anonymous Coward · 2017-01-25 13:16 · Score: 1
  
  If your VPN service provider doesn't support OpenVPN, then roll your own: fire up a Linode or DigitalOcean instance at your choice of datacenter location and configure OpenVPN with at most a few minutes of tutorial fudging.
who needs a vpn? by Anonymous Coward · 2017-01-25 06:28 · Score: 0

don't need a VPN to get around the pirate bay blocks, just set your DNS to 8.8.8.8
Is this really a surprise... by Anonymous Coward · 2017-01-25 07:17 · Score: 0

"Viruses, Spyware Found in 'Alarming' Number of Android VPN Apps"
Users download applications and ignore the list of permissions the app is asking for. One morning we are going to wake up and see the mother of all botnets using millions of phones running Android. The smart phone platforms are doing the same thing that developers did with early desktop applications and operating systems. Security was ignored in favor of faster development.
Have a look at the ToS and privacy statement by allo · 2017-01-25 07:50 · Score: 1

As a general rule: The shorter the better. If it says "we log nothing. Never.", you're pretty safe, because only law applies and they do not reserve further rights. If it says "we reserve the right to monitor, if we suspect abuse ...", its up to them to define abuse and reasons why they might suspect it.
Other red flags are untrue claims (most secure of the world, unbreakable, stops ALL tracking (so? spyware, fingerprinting, etc.?)), technical incompetence (telling the connection after their exit node would be encrypted), scaremongering like "YOU ARE LIVING IN [your providers city], AND EVERYBODY CAN ACCESS YOUR DATA WITHOUT OUR VPN", free vpns (there is no such thing as a free lunch) and other things, which are too good to be true.
Looking at the android app is now another sign, which can help you to rate the vpn, even when you're not using android.
1. Re:Have a look at the ToS and privacy statement by gnasher719 · 2017-01-25 11:52 · Score: 1
  
  As a general rule: The shorter the better. If it says "we log nothing. Never.", you're pretty safe,
  You can be pretty sure about what they said. You can't be sure at all about what they are actually doing.
2. Re:Have a look at the ToS and privacy statement by allo · 2017-01-25 20:36 · Score: 1
  
  Of course. Trust is important, but you have little chance to actually build trust, except interpreting such signs. A long ToS tells, that they are more willing to cooperate with your enemies and avoid the problem, that you could sue them for not respecting your rights. And a ToS with clauses when they are allowed to monitor traffic are telling you, that they have the means to monitor traffic, while others state, that they do not have such tools prepared (meaning an admin would need to script some tcpdump himself, if they really need to get you).
  And sometimes you see an polical mission. Have a look at lavabit and how Levinson rather closed his company than handing out the TLS key. This is the spirit, you're looking for.
Cisco Anyconnect VPN client by Anonymous Coward · 2017-01-25 07:57 · Score: 0

Even the Cisco Anyconnect VPN client for the desktop has telemetry built-in. It cannot be disabled or removed.
Complete list of VPN ratings? by ottott · 2017-01-25 08:55 · Score: 2

Anyone know where the complete list of VPN ratings are? Worst 10 is a nice start, but the whole list would be even better. Thanks.
1. Re:Complete list of VPN ratings? by Anonymous Coward · 2017-01-26 05:33 · Score: 0
  
  Here's the paper (.PDF). https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf