Android flaw allows attackers to bypass VPN, capture unencrypted data

Share this article:
The vulnerability affects Samsung's Galaxy S4 which is currently used by government agencies.
Researchers at a university in Israel disclosed the vulnerability to Google.

Researchers have discovered an Android vulnerability that allows a malicious app to bypass virtual private network (VPN) configurations, and ultimately send unencrypted data to an attacker.

On Friday, Dudu Mimran, CTO of Ben-Gurion University's Cyber Security Labs in Israel, wrote a blog post detailing the vulnerability and posted a video demonstrating how to exploit it.  

According to Mimran, the exploit affects users running the Android 4.3 mobile operating system. Android 4.4 (KitKat) currently is being tested to see if it is susceptible.

“This vulnerability enables malicious apps to bypass active VPN configuration (no root permissions required) and redirect secure data communications to a different network address,” Mimran wrote. “These communications are captured in clear text (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure,” he warned.

According to Mimran, secure sockets layers (SSL) and transport layer security (TLS) traffic can be intercepted by an attacker leveraging the exploit, though the data would remain encrypted.

In a YouTube video, a researcher demonstrated the VPN bypass on a Samsung S4 device. In the background, a computer also displayed a packet capturing tool to show how traffic is redirected to saboteurs.

In this instance, researchers illustrated how an email sent from the phone could be hijacked (in clear text) by an attacker. reached out to Google about the vulnerability, but did not immediately hear back from the company. Researchers at Ben-Gurion did, however, reveal that they disclosed the bug to Google on Friday.

On Monday, Jeffrey Ingalsbe, director of the Center for Cyber Security and Intelligence Studies at the University of Detroit Mercy, told in an interview that the vulnerability is of concern because it “attacks one of the [security] pillars we thought we could count on in the mobile world” – VPNs.

Worse yet, is the type of data that could fall into the hands of miscreants leveraging the attack, Ingalsbe added.

“Apps that typically require VPNs, or have them, are banking apps,” Ingalsbe said. “Some email apps will also connect via a VPN. It's a big deal because, one, people won't know about this [threat] and, two, because apps using them are really containing critical information.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.