Viruses, spyware found in 'alarming' number of Android VPN apps

Viruses, spyware found in 'alarming' number of Android VPN apps

Viruses, spyware found in 'alarming' number of Android VPN apps

Updated 25 January 2017, 17:25 AEDT

If you've thought of using a VPN to get around the Federal Court’s blocking of The Pirate Bay and other file-sharing websites, you might want to take a closer look – especially if have an Android device.

When the Federal Court blocked access to file-sharing websites like The Pirate Bay last December, VPN (Virtual Private Network) providers reported a surge in subscription rates.

Australian company Vanished VPN said its subscription rates had doubled in the past six months and VPN Unlimited said it had seen a 12.5 per cent monthly jump since the court's decision.

People were using VPN services to access the blocked sites because they masked their location — allowing users to get around any website blocks or restrictions.

But if you're one of those people, you might want to take a closer look at the service you're using — especially if you've got an Android device.

A team from CSIRO's Data 61, University of NSW and UC Berkley in the US found a whole bunch of Android VPN apps contain viruses, spyware and other adware.

Researchers analysed the apps available for Android to look for nasties like trojans, spyware and adware — giving each an "anti-virus rank (AV)" based on what they found. The lower the rank, the better.

They found of the 283 apps they analysed, 38 per cent contained malware or malvertising (malicious advertising containing viruses).

"The findings are alarming and showing some very, very serious security and privacy issues," Data61 researcher Dali Kaafar said.

"If they embed some malware that means that particular malware can see all the other traffic that is originating from your device.

"Your [usernames and passwords] can be seen by this particular app and that's a very critical, very sensitive security issue."

Apps had access to data and texts

More than 80 per cent of the apps want access to your sensitive information, such as user data and text messages, according to the researchers.

They found one in five providers was not even encrypting traffic — one of the key jobs of a VPN.

"That's a huge security hole to not be encrypting that traffic," Dr Kaafar said.

"Consider that as your network being completely naked out in the wild so everyone can see it if you're sending on the internet or when you're connecting to a hotspot Wi-Fi."

Here are the 10 worst offenders according to the researchers — remember the lower the AV-rank, the better:

App Name AV-Rank Google Play rating (out of 5) Downloads (approx.) Availability
OkVpn 24 4.2 1,000 DELETED
EasyVpn 22 4.0 50,000 DELETED
SuperVPN 13 3.9 10,000 DELETED
Betternet 13 4.3 5 million ACTIVE
CrossVpn 11 4.2 100,000 ACTIVE
Archie VPN 10 4.3 10,000 ACTIVE
HatVPN 10 4.0 5,000 DELETED
sFly Network Booster 10 4.3 1,000 DELETED
One Click 6 4.3 1 million ACTIVE
Fast Secure Payment 5 4.1 5,000 ACTIVE

The researchers found sFly Network Booster incorporated spyware and could access text messages and even send them from users' phones.

OkVpn and EasyVPN could force ads to appear in other applications.

Since August last year, OkVpn, EasyVPN, SuperVPN, HatVPN and sFlyNetwork Booster have all been removed from the store, along with 44 others of the 283.

But Betternet, CrossVPN, Archie VPN, One Click VPN and Fast Secure Payment all remain.

Before their report was released, researchers contacted the individual developers and Google, which removed some of the apps from the store.

So what should you look out for?

Here are some of Dr Kaafar's tips:

  • Choose your app developer carefully. Look for apps made by reputable developers who have already written specialised security apps.
  • Look at what permissions the applications ask for. For example, a VPN application should not be seeking access to read and write your text messages.
  • Data61 has also built an Android app so you can check for yourself whether the VPN you're using is up to scratch. It's called PrivMetrics and it's available on the Google Play store.