Researchers claim discovery of new Android VPN vulnerability

Android Security

Researchers at the Ben Gurion University Cyber Security Lab are back in the news with a claim that they have discovered a new vulnerability in the Android implementation of VPN. According to the researchers, the exploit would allow a malicious app to bypass an active VPN connection and redirect traffic to a different server. The vulnerability can supposedly be installed without root access and does not need any specific VPN permissions. When the data is redirected by the malicious app, it can be sent unencrypted to a target server without the user being aware the data is being redirected.

According to Ben Gurion’s CTO, Dudu Mimran, without a malicious app being installed, the VPN traffic cannot be diverted. It was also noted that any data that is encrypted prior to transmission, like SSL/TLS traffic, remains encrypted even if it is diverted. In a video posted with their report of the vulnerability, the researchers purport to show intercepted traffic after the malicious app launches the VPN bypass code.

At this time, Ben Gurion researchers have only communicated the details of the vulnerability to Google and Samsung, so it should not be out in the wild and there are no known cases that have been reported. Because the vulnerability can only be delivered to a device via a malicious app, use of an app store like Google Play should minimize, if not eliminate, the potential for the code to end up on a user’s device, especially if Google updates their scanners since they are in possession of the code.

Keep in mind the last time Ben Gurion researchers claimed a vulnerability existed, supposedly in the Samsung KNOX platform, it was ultimately determined to be a standard Man in the Middle attack and not something specific to KNOX. We will wait to see whether Google or Samsung issue any statements regarding this latest claim. Until then, continue to follow safe computing guidelines with your Android-powered devices.

source: Ben Gurion University
via: Android Authority

About the Author: Jeff Causey

Raised in North Carolina, Jeff Causey is a licensed CPA in North Carolina. Jeff's past Android devices include an HTC EVO, a Samsung Note II, an LG G3, and a Motorola Moto X Pure Edition along with a Samsung Galaxy Tablet 10.1. He currently uses a Samsung Galaxy S8 and (very rarely) a Nexus 7 (2013). He is also using a Verizon-branded Motorola Moto Z Play Droid supplied by his job. Jeff used to have a pair of Google Glass and a Moto 360 Sport in his stable of gadgets. Unfortunately, his kids have all drunk the Apple Kool-Aid and have i-devices. Life at home often includes demonstrations of the superiority of his Android based devices. In his free time, Jeff is active an active runner usually training for his next marathon, owns a Mazda MX-5 Miata, and plays Dungeons & Dragons. Jeff has three grown kids and a golden retriever.