New Android vulnerability allows data to be stolen from VPN connections [updated]

January 21, 2014

world map networking connectionsSecurity researchers at Ben Gurion University have demonstrated a networking related security vulnerability in Android which allows a malicious app to bypass an active VPN connection and redirect the traffic to a different server. That server in turn has complete access to all the data which the device was sending over the VPN. Normally VPN connections are encrypted but due to the bugs in Android the data which arrives at the fake destination is unencrypted. If the fake server then sends the data on to its original destination it is possible that the Android user could remain unaware that the connection has been compromised.

The bad news

The vulnerability can be exploited on any Android device and doesn’t need root access. Any malicious app that wants to take advantage of this security hole doesn’t need any VPN specific permissions. This means it isn’t possible to identify malicious intent just from the permissions the app requests.

The exploit can be built into any app and once the app has been run the VPN connection becomes insecure. The vulnerability is present in Android 4.3 and Android 4.4 KitKat. testing is currently underway.

VPNs are used for two main reasons. First, to encrypt an otherwise insecure connection (e.g. public Wi-Fi or a connection onto a private business network) or secondly, to defeat access restrictions based on geolocation or Internet provider (e.g. those in countries with oppressive regimes that filter and block Internet access).

In both these situations a comprised VPN connection can be a very real danger especially for those in countries where accessing forbidden parts of the Internet is punishable by law.

The good news

However there is some good news. First, to exploit this vulnerability an app, which knows how to divert the VPN traffic using this method, needs to be installed on the Android device . In the demonstration given by Dudu Mimran, the CTO of Ben Gurion University’s Cyber Security Labs, a special app was installed to cause the divert to happen. Without a malicious app installed the VPN can’t be diverted.

This means that if a concerned user only installs apps from Google Play then this should dramatically reduce the chances of an app being installed which can exploit this weakness. Since Google has been informed by the university about the nature of this attack it is likely (but not guaranteed) that Google will update its in-house malware scanners to weed out any apps submitted to the Play Store which try to exploit this problem.

Secondly, the details of the vulnerability are still private. Although the university has announced that a vulnerability exists it hasn’t published the details of how it works. This means that unless this error has been previously discovered (but not reported) then there are currently no known exploits in the wild.

The final bit of good news is that all SSL/TLS traffic, even if captured with this exploit, remains encrypted. Leaving aside the possibility that certain governments may have the ability to decrypt SSL traffic, if a user makes use of a service (say an email service) which encrypts all of its traffic then the user will remain protected even if the VPN is compromised.

Although this is a serious flaw in Android, the way in which it needs to be exploited means that at the moment it doesn’t present a danger to the average Android user. VPN users should proceed with caution and they should certainly avoid installing any apps from untrusted sources.

Comments

  • http://www.dazeinfo.com/ Amit Kumar Singh

    Google Is Under Threat From
    Increasing Forked Android Adoption..

    http://www.dazeinfo.com/2014/01/21/google-inc-goog-fork-android-adoption/

  • Favio Maldonado

    is this another article paid by apple??

    • Tanner Hoyt

      Yeah, because if an article points out a vulnerability in Android, even if it’s true, it was OBVIOUSLY paid for by Apple. Stop thinking Android is this god-like operating system. Google isn’t infallible.

      • Dina Rigby

        Nobody is thinking that Android is a god-like OS in the first place, because it isn’t. I don’t understand why the minute someone points out a flaw in Android people automatically start pointing fingers at Apple. For all you know this article might be paid by Samsung as a pre-emptive move to launch their Tizen.

        • Micheal Justin

          -

    • http://www.garysims.co.uk garysims

      I don’t know if I should laugh or cry at that comment.

    • Favio Maldonado

      and while we point our fingers at each other theres a NSA guy checking our profile and wife pictures

  • Micheal Justin

    is that real post of someone paid for this?? I am using Android VPN and I am sure it’s secure and there is no chance of data being stolen.. http://www.bestvpnservice.com/blog/best-android-vpn/ you can check the protocols which help in secure connection..

    • http://www.garysims.co.uk garysims

      As I wrote previously, I don’t know if I should laugh or cry at that comment. I also suspect it is really just a lame attempt to advertise your VPN service as I see you have done the same thing in other comments!

      • Micheal Justin

        Well I posted this article in G+ community as well and not intend to advertise this there.. just sharing details and getting info that its true or not…

        • http://www.garysims.co.uk garysims

          OK, sorry, my bad. But the article is genuine and the idea that I or anyone at Android Authority is paid by Apple is quite odd. The research was carried out buy a respected department of a world leading university.

          • Micheal Justin

            Now its not secure even use VPN/Proxy.. So what you think is that good to use android for internet?

          • http://www.garysims.co.uk garysims

            Micheal, if you use a VPN then you need to be cautious however as it says in the article the details of the vulnerability aren’t public so it is doubtful that others have reproduced it. Also you need to install a malicious app which will do the divert. If you stick to Google Play you should be fine. However if you live in a country with an oppressive regime I would switch to using something else for accessing the Internet via a VPN.

            If you don’t use a VPN then nothing has changed, Android is as it was before.

          • Micheal Justin

            Its not secure now even using VPN/Proxy.. So what you think is that good to use android for internet?

  • Tony T.

    I’m curious to know why there’s a border line running horizontally through the middle of Canada lol

    • BrettyDaren

      Along with secure protocols like pptp, sstp and l2tp, there is no chance that and data to be stolen once some one setup VPN in android. Though there is a chance if some one doesn’t setup VPN correctly on their android. I refer for those to configure VPN through the following step by step process and keep away any vulnerability and become anonymous online http://www.vpnranks.com/android-vpn-setup/

  • Shaun Stevin

    Israeli researchers have found critical security vulnerabilities in Android OS that allow bypassing of VPN configurations and stealing of data in plain text!

    http://www.purevpn.com/blog/new-android-vpn-vulnerability-enables-vpn-bypass-and-data-theft/

  • Steve martin

    Since there are most risk-free protocols are available as pptp, sstp and also l2tp, there is absolutely no chance of which and also information to become stolen the moment several just one startup VPN within android OS. Though you will find there’s chance in the event that several just one doesn’t start-up VPN the right way on their android OS. I recommend for all those for you to configure VPN throughout the following step by step practice and also keep away almost any weekness and be anonymous on the internet.
    http://www.vpnmag.co.uk/