Slashdot Mirror

← Back to Stories (view on slashdot.org)

Viruses, Spyware Found in 'Alarming' Number of Android VPN Apps (abc.net.au)

Posted by msmash on from the privacy-woes dept.

When the Federal Court blocked access to file-sharing websites like The Pirate Bay last December, VPN (Virtual Private Network) providers reported a surge in subscription rates. Australian company Vanished VPN said its subscription rates had doubled in the past six months and VPN Unlimited said it had seen a 12.5 percent monthly jump since the court's decision. People were using VPN services to access the blocked sites because they masked their location -- allowing users to get around any website blocks or restrictions. But if you're one of those people, you might want to take a closer look at the service you're using -- especially if you've got an Android device. From a report: A team from CSIRO's Data 61, University of NSW and UC Berkley in the US found a whole bunch of Android VPN apps contain viruses, spyware and other adware. Researchers analyzed the apps available for Android to look for nasties like trojans, spyware and adware -- giving each an "anti-virus rank (AV)" based on what they found. The lower the rank, the better. They found of the 283 apps they analyzed, 38 percent contained malware or malvertising (malicious advertising containing viruses).

11 of 52 comments (clear)

  1. Built in VPN client by Anonymous Coward · · Score: 5, Interesting

    So why don't people just use the built in VPN client?

    1. Re:Built in VPN client by DickBreath · · Score: 4, Informative

      Yes! That!

      How to Use Android’s Wi-Fi Assistant to Safely Connect to Public Wi-Fi Networks (and Save Data)

      There is no need for a third party VPN app. Just use the Google managed VPN in Android. This can be used automatically when you use a public WiFi hotspot.

      Manager: how do you measure leadership?
      Tech: with a suitably designed test instrument.

      --

      I'll see your senator, and I'll raise you two judges.
    2. Re:Built in VPN client by Anonymous Coward · · Score: 2, Insightful

      What the article fails to mention is that all those "VPN" apps offer the VPN connection for free, something I think most of slashdot would not assume. And of course, they're certainly not doing it for free out of the goodness of their hearts...

    3. Re:Built in VPN client by fuzzyfuzzyfungus · · Score: 3, Interesting

      Which is, of course, the second(and perhaps larger) problem in this case:

      A VPN is a wonderful thing in terms of keeping undesirables out of the traffic between the endpoint device and the VPN provider(with some limited exceptions involving faulty implementation, obsolete protocols, or sneaky traffic analysis of unpadded VPN links); but whoever is terminating the VPN for you is a very, very, trusted party.

      If your provider is so sleazy that there is malware in the client you are definitely screwed; but even if the client is clean, they unavoidably see all the traffic sent over the VPN link; and you usually only bother with a VPN because either some of your applications don't encrypt their traffic properly; or because you don't want to reveal to the local wifi hotspot operator what hosts you are communicating with. If the VPN operator is shady; all you've done is add some latency and computational overhead in order to allow a different malicious party to watch your network traffic(and potentially modify it). Even better, while wifi hotspots are managed by zillions of different people and companies, making it somewhat harder to aggregate tracking data for a given user across all the APs they use; you voluntarily connect to your VPN provider; so they get all your traffic no matter where you are.

      Honestly, given the numerous alarming things you can do when you are a man-in-the-middle; I'm a bit surprised that adding local malware(and thus substantially increasing the risk of detection) was seen as a good strategy. If I were running an evil VPN I'd want my client(which pesky AV companies or security researchers might well download and inspect) to be squeaky clean and standard; basically just an idiot-proof wrapper around the system provided VPN protocols; and instead load up the malice, ad/malware injection, etc. on the server side.

    4. Re:Built in VPN client by tlhIngan · · Score: 4, Insightful

      So why don't people just use the built in VPN client?

      Because there may be hundreds of different servers you can connect to?

      My VPN provider (IPVanish) has servers in many different countries, and in the larger ones, they often have 3-4 in various geographic regions. This results in a list of 300-400 servers. So they have an app that helps you manage the list - you log in, pick a server and the app goes and installs a configuration to use the native (they support LLTP, PPTP and OpenVPN) VPN client with the desired server.

      So their app really helps pre-configure the built in client with whatever server you want (helpful if you want to use Netflix or Hulu, since a few of their servers aren't blocked).

      Yes, you can do it yourself, since they give you a list on their webpage, but it's a pain.

  2. There's always OpenVPN by mnslinky · · Score: 4, Informative

    OpenVPN has clients for both iOS and Android. The Android client source is open, allowing for code review. Unfortunately, due to NDA with Apple, the iOS source isn't as open, but it is written by the same people that write the open source OpenVPN code.

  3. Link to Paper by InfectedPacket · · Score: 5, Informative

    Link to the original paper instead of a news article: An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps

    --
    @cyberrecce
  4. Always use OpenVPN by Kludge · · Score: 4, Insightful

    If your VPN service provider does not support OpenVPN, GET ANOTHER SERVICE PROVIDER.
    There is no excuse for not supporting OpenVPN in this day and age.

    1. Re:Always use OpenVPN by b0bby · · Score: 2

      As far as I am aware, OpenVPN is secure and can be open source on both servers and clients. I use it regularly and find it works well. What is your objection to it?

  5. Re:Source of the apps by GuB-42 · · Score: 2

    The study was done on Google Play apps. The worst offenders were removed from the Play Store during the study.
    It isn't explicit what counts as "malware", but for the look of it, beside a couple of apps (from the removed ones), it looks more like obnoxious ads.

    Maybe more concerning than malware is the lack of security. Some apps don't even encrypt traffic.

  6. Complete list of VPN ratings? by ottott · · Score: 2

    Anyone know where the complete list of VPN ratings are? Worst 10 is a nice start, but the whole list would be even better. Thanks.