VPN Related Vulnerability Discovered on an Android device

[chikiru900]

As part of our ongoing mobile security research we have uncovered a network vulnerability on Android devices which has serious implications for users using VPN. This vulnerability enables malicious apps to bypass active VPN configuration (no ROOT permissions required) and redirect secure data communications to a different network address. These communications are captured in CLEAR TEXT (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure.
In this video we demonstrate the vulnerability via the following steps:

1. We present a regular Android device (in this case it is the popular Samsung S4 device). Behind it we display a screen with packet capturing tool, showing the traffic that flows through that computer.
2. Now the user runs the malicious app and clicks on the Exploit button which takes advantage of the vulnerability in the phone’s system.
3. The user then navigates the menu to the phone’s network settings and activates the VPN. In the video it is easy to see that the user verifies that the VPN is active.
4. The user then opens an email client (the system default) and sends an email with the word security in the subject line
5. We immediately see that some information has been captured on the computer where the detection tool is running. It is important to stress again that no communications was supposed to pass through this computer in the first place.
6. In the video we can clearly see the SMTP (mail protocol) packets. The data of the communications protocol is analyzed and then we can see the whole mail including its “secret” subject in clear text.

[video=youtube;9JCmI0vbVik]https://www.youtube.com/watch?v=9JCmI0vbVik[/video]
Notes:

1. SSL/TLS traffic can be also captured with this exploit but the content stays encrypted and not in clear text.
2. We have tested the vulnerability on multiple Android devices from different vendors.
3. We have tested the vulnerability on Wifi connections alone.
4. The computer in the demo is connected to the same network as the mobile device.
5. The malicious app does not require VPN specific Android permissions.
6. The VPN is configured properly.

Status:
We have earlier today contacted Google through their security email [email protected] and sent them a vulnerability alert with all relevant information in an encrypted manner. We will update this blog post when new information becomes available or when progress is made in the analysis of this vulnerability. In addition, we will use this blog to issue warnings to those impacted by this vulnerability as soon as the impact is clarified. Once the issue will be resolved we will disclose here full details on the vulnerability.

Sourch: http://cyber.bgu.ac.il/blog/vpn-related-vulnerability-discovered-android-device-disclosure-report