Researchers at the Ben Gurion University Cyber Security Lab are back in the news with a claim that they have discovered a new vulnerability in the Android implementation of VPN. According to the researchers, the exploit would allow a malicious app to bypass an active VPN connection and redirect traffic to a different server. The vulnerability can supposedly be installed without root access and does not need any specific VPN permissions. When the data is redirected by the malicious app, it can be sent unencrypted to a target server without the user being aware the data is being redirected.
According to Ben Gurion’s CTO, Dudu Mimran, without a malicious app being installed, the VPN traffic cannot be diverted. It was also noted that any data that is encrypted prior to transmission, like SSL/TLS traffic, remains encrypted even if it is diverted. In a video posted with their report of the vulnerability, the researchers purport to show intercepted traffic after the malicious app launches the VPN bypass code.
At this time, Ben Gurion researchers have only communicated the details of the vulnerability to Google and Samsung, so it should not be out in the wild and there are no known cases that have been reported. Because the vulnerability can only be delivered to a device via a malicious app, use of an app store like Google Play should minimize, if not eliminate, the potential for the code to end up on a user’s device, especially if Google updates their scanners since they are in possession of the code.
Keep in mind the last time Ben Gurion researchers claimed a vulnerability existed, supposedly in the Samsung KNOX platform, it was ultimately determined to be a standard Man in the Middle attack and not something specific to KNOX. We will wait to see whether Google or Samsung issue any statements regarding this latest claim. Until then, continue to follow safe computing guidelines with your Android-powered devices.