NurPhoto via Getty Images

It has taken some time, but after multiple warnings and reports, Google has now removed a security app from the Play Store that researchers have described as “very dangerous” and which has accumulated more than 100 million installs. “This app raises so many red flags,” one review warned a year ago, “that it's impossible to recommend for even the simplest of tasks,” and so its removal is not a surprise.

Google is determined to crack down on hidden threats hiding in Android’s official store. Where those threats are overtly malicious malware, that’s straightforward. This time, though, the issue was a security vulnerability a Chinese developer had repeatedly failed to fix—a vulnerability that exposed users to “critical man-in-the-middle attacks.” That risk has now been removed. But for those with the app—SuperVPN—installed on their phones, you should delete it right away.

SuperVPN—before its removal Google Play Store

SuperVPN’s risks were disclosed in previous research dating back to 2016. More recently, it was accused of manipulating the Play Store to drive installs. Alarmingly, when SuperVPN was first identified as being a risk it had just 10,000 installs. It now has more than 100 million. The latest security warnings came from VPNpro, as I reported in February, and I have been in contact with Google since then, as has the research team, seeking the app’s removal from Play Store.

That has now happened.

Google

According to VPNpro, SuperVPN “allows hackers to intercept communications between the user and the provider, and even redirect users to a hacker’s malicious server instead of the real VPN server.” There is no inference that the app’s developer was responsible for any attacks or data interception. But the risks were well known and publicised, making it an open vulnerability for others to exploit.

"In our tests,” VPNpro reported back in February, “we noticed that SuperVPN connects with multiple hosts, with some communications being sent via unsecured HTTP. This contained encrypted data. But after more digging, we found that this communication actually contained the key needed to decrypt the information.” The team says it is “surprised Google allows such a major app with at least 100 million installs to remain on the Play store with such a glaring vulnerability.”

MITM Attack VPNpro

Google confirmed this vulnerability to the VPNpro team last month, and then today, April 7, took the decision to remove this popular app from its Play Store.

The researchers’ testing found the following three issues with SuperVPN:

Unencrypted HTTP traffic: “ anyone sniffing can read your communications. Sending sensitive data over HTTP is highly unsecured, and this should be forbidden by the app developer.” Hardcoded encryption keys: Even where information is encrypted, “the keys to decrypt that information are found within the app.” Payload including EAP credentials: “VPNs use EAP credentials so users outside the app can’t connect to the same VPN server. By sending EAP credentials in an unencrypted payload, it defeats this purpose .”

“The implications are pretty dire,” VPNpro warned in February. “More than 100 million people could have their credit card details stolen, their photos and videos sold online, their conversations recorded and sent to a server in a secret location.”

This isn’t the first time that VPNpro’s research has promoted Google to dump Chinese apps from the Play Store. Also in February, the team exposed a subsidiary of China’s TCL Corporation for having 24 malicious apps on the Play Store. Google, removed all 24 apps from their store.

VPNpro generates revenue from VPN advertising and affiliate links. Asked about the potential for a conflict of interest, they told me that “our research and analysis are completely independent from our business model. The main aim of our security research is to find privacy and security violations in publicly available desktop and mobile tools, and present this crucial information in a non-technical way.”

As regards revenue generation, the team told me that “on our website, we provide a clear and transparent disclaimer on any content that may be monetized. We also have full coverage of the major free VPNs and other services, such as password managers, secure email providers. We do understand that some companies may not appreciate our approach to making dangerous apps or software visible to the public, but we believe this is in the best interest of the user.”

The developer behind SuperVPN is SuperSoftTech, which claims to be based in Singapore. According to VPNpro, in reality it is based in China. I contacted the developer back in February, when reporting on the vulnerability, and did not receive any response. I have received nothing since.

The much less installed Pro version of SuperVPN remains on Play Store. I would suggest you avoid that as well, unless and until these security issues are addressed.