The Cybernews research team has discovered a leak in a free virtual private network (VPN) aimed at users in China that could put its citizens at risk of persecution by the authoritarian regime.
Free or “freeware” VPNs are popular in Asia and the Middle East, particularly in countries such as China and Russia, where internet usage is much more strictly policed than in Western nations. Users of the Airplane Accelerates app may therefore be perturbed by the research team’s discovery that its private network service might not be so private after all.
On July 7, a Cybernews researcher discovered an open ElasticSearch instance containing 626GB of VPN connection logs during a routine check-up using open-source intelligence (OSINT) methods. This amounted to a database containing a staggering 5.7 billion entries, including user IDs, what IP addresses users were connecting to and from, domain names, and timestamps.
“This leak is significant, because the leaked data could be used to de-anonymize and track the users of this app,” said Aras Nazarovas, the researcher who led the investigation into the freeware. “Analysis of the Android app also shows that it is capable of functioning as spyware, and has remote code execution capabilities.”
Red flags
And despite purporting to be a VPN service offered free of charge, the app in fact runs on the less secure HTTPS. “Depending on how they implemented it, it could be that the app would only encrypt web traffic, not traffic from the operating system (OS) or other apps,” explained Nazarovas. “While Antivirus apps do not detect this app as malicious, our analysis of it raises some significant red flags.”
Given that Airplane has received around 3,000 reviews on the Chinese version of the App Store alone – as opposed to the global version where the numbers are much lower – it is reasonable to assume the actual number of users across Windows, MacOS, iOS, and Android could run into the tens or perhaps even hundreds of thousands.
In a regime like China, that could mean a lot of users getting into trouble if the app exposes their internet usage to the authorities.
Cybernews conducted an examination of the Android version of the app, which “found a list of domains including VPN services, anti-China and porn websites, open source tools used to bypass censorship, hacking tools, social media websites, and search engines.”
Significantly, there were no Chinese websites on the list indexed to the app, suggesting that it has been compiled to track users who are visiting domains that Beijing may disapprove of.
Further investigation revealed that the company responsible for the freeware app is based in Australia, where it is registered under the name AP Network PTY Ltd.
Suspect conduct
Cybernews also found that the Airplane app requested a suspiciously high number of permissions, ranging from access to camera and audio recording, to reading and modifying contacts, external storage, and installing packages.
“The amount of permissions the app requests suggests that some of the information it collects was stored in a different database than the one we found,” said Nazarovas, clarifying that the Chinese-language website that distributes the apps can be found at vp2n.cc while the domain name apnetworksapp.com hosts the app’s contact details and location.
While the company website also features a privacy policy, it is not clear from the wording or context whether it applies specifically to the VPN app, or another service. Cybernews did find a link connecting directly from the app itself in the store to a privacy policy – but this was not valid when clicked on and led nowhere.
This lack of clarity appears to have created a legal gray area that could potentially leave the app’s users vulnerable to having their data shared.
Of the four platforms Airplane operates on, only the iOS version allows you to download from a source outside of vp2n.cc – that is to say, from the App Store. Users on any of the other three platforms must go directly to AP Network’s website to obtain it.
This is not the first time a leak of potentially huge consequences has been reported in China. Last month it was reported that a hacker claimed to have stolen data being kept on a billion Chinese citizens from digital police records in Shanghai.
Cybernews reached out to AP Network to alert it to the problem shortly after discovering it. Having received no response after waiting for a month, it has decided it is in the public interest to share this story.
Free VPNs can be a risky alternative to the ones you pay for, so Cybernews has highlighted some of the best ones out there, as well as three that you should definitely avoid. Hoxx, iNinja, and SuperVPN have all been found to keep user data and in some cases even share it with other entities – compromising privacy and thus essentially doing the opposite of what a good VPN is supposed to do.
Hoxx collects user data and reserves the right to share it with governments at its discretion, while iNinja keeps records of its users’ timestamps, personal information, and online activity. SuperVPN, as well as having been hacked earlier this year, keeps connection logs and other data to track and identify its users.
The Cybernews research team also recently discovered that BeanVPN had left 25 million records of user data exposed to the public, including internet protocol (IP) addresses and user devices.
Other pitfalls to be aware of when using a free VPN include data and connection speed restrictions that hamper internet usage, and a poor choice of local servers that impedes varied content unblocking. Selling of user data to third parties and invasive advertising may also be used by so-called free VPN providers to make up for lost revenue.
Source: Damien Black Senior Journalist https://cybernews.com/security