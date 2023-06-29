The backstory

In 2020, Google removed the “dangerous” security app SuperVPN from its Play Store following warnings of serious vulnerabilities exposing users to man-in-the-middle attacks. Despite these risks being highlighted in 2016, the app grew from 10,000 to more than 100 million downloads by the time it was removed.

Security warnings revealed unencrypted HTTP traffic, hardcoded encryption keys and unencrypted payloads, leading to potential interception of communications and redirection to malicious servers. Although SuperSoftTech, the app’s Chinese developer, wasn’t implicated in any data attacks, the persistent vulnerabilities made it an exploitable target. Users of this app are still advised to uninstall it immediately.

The recent data leak incident

In May 2023, cybersecurity researcher Jeremiah Fowler disclosed a significant data breach associated with SuperVPN. He conducted a thorough investigation and discovered a non-password-secured database related to the popular free VPN service.

This publicly available database comprised over 360 million records containing sensitive user information such as email and IP addresses, device-specific details, refund requests and browsing history.

Fowler found two applications named SuperVPN registered under different developers on the Google Play Store and Apple App Store. The SuperVPN versions for iOS, iPad and macOS are attributed to a developer named Qingdao Leyou Hudong Network Technology Co, while SuperSoft Tech produces the second app.

The leaked database contains references to another company, Changsha Leyou Baichuan Network Technology Co, with multiple mentions of Qingdao Leyou Hudong Network Technology Co. Each of these companies seems to have Chinese ties, underscored by notes within the database written in Chinese. The exposed database was shut down after Fowler emailed the app owners to notify them of the leak. He received no response, which was puzzling and raised doubts about their commitment to user privacy.

All signs suggest Qingdao Leyou Hudong Network Technology Co owns and is responsible for the exposed database. Nevertheless, despite several similarities, the relationship between it and SuperSoft Tech remains unclear. For instance, the logos of the two entities, especially those of SuperVPN for Mac and other iOS devices, are strikingly similar.

Fowler’s efforts to contact both firms to ascertain whether they are linked or share a common developer yielded no result. Given the scant information about their ownership or location on their respective websites, concerns have been raised regarding the openness and safety of these no-charge VPN services.

Further investigation revealed SuperVPN shares customer support emails with Storm VPN, Luna VPN, Radar VPN, Rocket VPN and Ghost VPN, indicating potential connections between these services. This exposure contravenes SuperVPN’s declared commitment to not logging user data, hence threatening user privacy.

What did we discover?

While researching the SuperVPN data leak, our experts found some intriguing information. Two free VPN apps with similar names are available on the Google Play Store. They are developed by SuperSoftTech and Wechoice Mobile and have different logos.

Our researchers identified discrepancies between the anonymity, privacy and security claims and the privacy policies for these applications on the Google Play Store.

Similarly, two SuperVPN apps are listed in the Apple App Store: the one discussed above (developed by Qingdao Leyou Hudong Network Technology Co) and another developed by Free Safety Connected Software Co, Ltd.

These apps with the same name and similar logos can cause confusion and mislead users. Moreover, their privacy policies seem to contradict their identity protection and data security claims, stating that user data can be disclosed to advertisers and other third parties.

Our takeaway

The SuperVPN case highlights that, while VPNs are designed to provide subscribers with enhanced privacy and security online, they are not invincible. Weak encryption techniques, security gaps or inadequate security measures can lead to breaches, compromising sensitive user data.