An Android VPN with over 100 million installs has just been removed from the Google Play Store following the discovery of a serious vulnerability.

As Naked Security reports, the vulnerability was discovered in October 2019 and reported to Google in February. VPNPro found that SuperVPN left itself open to man-in-the-middle attacks that allow malicious users to intercept all communications between the person using the VPN and SuperVPN itself, meaning hackers could potentially see everything the user was doing and/or redirect them to a malicious server. This is a serious flaw in a VPN, which users typically rely on to ensure their communications remain secure, so it's not surprising all existing SuperVPN users are being urged to delete the app.

The research conducted by VPNPro claims that millions of customers could have had their credit card details stolen, photos leaked, and private conversations recorded. This is because SuperVPN's unsecured communications contained encrypted data, but also the keys required to decrypt it.

VPNPro also suggests that, while the company behind the application, SuperSoftTech, claims to be based in Singapore, it actually belongs to an independent app publisher called Jinrong Zheng who is likely based in Beijing.

Google’s Play Security Reward Program was notified after VPNPro tried, but failed to contact SuperSoftTech to resolve the vulnerability. The app was removed from the Google Play Store on 7 April 2020. It's worth noting that this isn't the first time SuperVPN's security has been called into question. Back in 2016, 13 antivirus programs detected malware in the VPN’s software.

UPDATE 04/09/20: This article originally claimed VPNPro.com offered a competing VPN service. This is incorrect. VPNPro.net offers a competing service, but the two are unrelated.

Further Reading

Security Reviews