Google has removed a popular VPN app with more than 100 million installs from the Play Store after industry professionals discovered severe security flaws.
A group of VPN experts discovered SuperVPN was open to man-in-the-middle attacks. The alarms went off back in October when Jan Youngren noticed that the app was using hard-coded encryption keys, which allowed hackers to view all the data being transferred through this app.
A VPN app is generally used to protect data transfers from snoopers with the help of randomized encryption keys. Even if hackers were somehow able to steal the data packets, it is of no use to them as they can’t unlock it without access to the encryption keys.
However, SuperVPN was different. It acted like a VPN, but it used keys that were not randomized. Simply put, anyone with access to the hard-coded encryption keys will be able to steal all the information going through this app.
This means all users of SuperVPN have potentially leaked their private information, including credit card details, personal videos and photos, and account passwords.
After discovering this vulnerability in October 2019, Youngren informed SuperSoftTech (the development team of SuperVPN) about this flaw. No one from the team responded. Then in February, Youngren shared the findings with Google’s Play Security Reward Program. The team from Google was unable to receive any response from SuperVPN on this matter.
The app was removed from Google Play Store on April 7, 2020.