Android flaw allows attackers to bypass VPN, capture unencrypted data

Share this article:
The vulnerability affects Samsung's Galaxy S4 which is currently used by government agencies.
Researchers at a university in Israel disclosed the vulnerability to Google.

Researchers have discovered an Android vulnerability that allows a malicious app to bypass virtual private network (VPN) configurations, and ultimately send unencrypted data to an attacker.

On Friday, Dudu Mimran, CTO of Ben-Gurion University's Cyber Security Labs in Israel, wrote a blog post detailing the vulnerability and posted a video demonstrating how to exploit it.  

According to Mimran, the exploit affects users running the Android 4.3 mobile operating system. Android 4.4 (KitKat) currently is being tested to see if it is susceptible.

“This vulnerability enables malicious apps to bypass active VPN configuration (no root permissions required) and redirect secure data communications to a different network address,” Mimran wrote. “These communications are captured in clear text (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure,” he warned.

According to Mimran, secure sockets layers (SSL) and transport layer security (TLS) traffic can be intercepted by an attacker leveraging the exploit, though the data would remain encrypted.

In a YouTube video, a researcher demonstrated the VPN bypass on a Samsung S4 device. In the background, a computer also displayed a packet capturing tool to show how traffic is redirected to saboteurs.

In this instance, researchers illustrated how an email sent from the phone could be hijacked (in clear text) by an attacker. reached out to Google about the vulnerability, but did not immediately hear back from the company. Researchers at Ben-Gurion did, however, reveal that they disclosed the bug to Google on Friday.

On Monday, Jeffrey Ingalsbe, director of the Center for Cyber Security and Intelligence Studies at the University of Detroit Mercy, told in an interview that the vulnerability is of concern because it “attacks one of the [security] pillars we thought we could count on in the mobile world” – VPNs.

Worse yet, is the type of data that could fall into the hands of miscreants leveraging the attack, Ingalsbe added.

“Apps that typically require VPNs, or have them, are banking apps,” Ingalsbe said. “Some email apps will also connect via a VPN. It's a big deal because, one, people won't know about this [threat] and, two, because apps using them are really containing critical information.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.