SecurityWeek reports that multiple security flaws have been discovered across almost two dozen VPN apps available in the Google Play Store, which have also been associated with one another.
Identical code, dependencies, and hardcoded credentials for the Shadowsocks protocol were present in eight VPN apps published by Innovative Connecting, Autumn Breeze, and Lemon Clove which purport to be based on Singapore but have been linked to U.S.-sanctioned Chinese cybersecurity firm Qihoo 360, a report from Citizen Lab revealed. Aside from Shadowsocks exposing the apps to various attacks exploiting hardcoded passwords and deprecated ciphers, all of the apps also had poor encryption and packet injection attack vulnerabilities. Similar infrastructure has also been used by apps provided by ForeRaya Technology Limited, Wildlook Tech PTE LTD, Yolo Mobile Technology Limited, Matrix Mobile PTE LTD, and Hong Kong Silence Technology Limited, which have collectively amassed over 380 million downloads. "The issues we identified affect users, providers, and app stores. At a minimum, VPN users who value privacy should avoid using Shadowsocks, including the apps from these developers, as Shadowsocks was not designed to facilitate privacy, merely censorship circumvention," said Citizen Lab.
Identical code, dependencies, and hardcoded credentials for the Shadowsocks protocol were present in eight VPN apps published by Innovative Connecting, Autumn Breeze, and Lemon Clove which purport to be based on Singapore but have been linked to U.S.-sanctioned Chinese cybersecurity firm Qihoo 360, a report from Citizen Lab revealed. Aside from Shadowsocks exposing the apps to various attacks exploiting hardcoded passwords and deprecated ciphers, all of the apps also had poor encryption and packet injection attack vulnerabilities. Similar infrastructure has also been used by apps provided by ForeRaya Technology Limited, Wildlook Tech PTE LTD, Yolo Mobile Technology Limited, Matrix Mobile PTE LTD, and Hong Kong Silence Technology Limited, which have collectively amassed over 380 million downloads. "The issues we identified affect users, providers, and app stores. At a minimum, VPN users who value privacy should avoid using Shadowsocks, including the apps from these developers, as Shadowsocks was not designed to facilitate privacy, merely censorship circumvention," said Citizen Lab.
