.png)
2 hours ago
1
Google warns billions of smartphone users of VPN threat.
getty
Updated November 11 with additional details of how the use of Virtual Private Networks can be abused in real-world attacks, alongside information on how VPNs work as well as the original warning from Google about malicious VPN activity, fake apps and scams.
Google is on something of a security advisory blitz at the moment. From warnings that users must restart their Chrome browser following confirmation of a bunch of high-severity vulnerabilities, and another aimed at iPhone users after research suggested Android devices are safer. However, one of the most critical, in the light of the current political and technical climate, doesn’t concern hackers exploiting Android vulnerabilities or threats actors employing dangerous calendar invites in attacks, but rather the use of a VPN. Here’s what all smartphone users need to know and do.
ForbesGoogle Issues New Gmail, Messages And Play Attacks WarningBy Davey Winder
These VPNs Deliver Dangerous Malware Payloads, Including Password-Stealers, Google Warns
As I recently reported, Laurie Richardson, Google’s vice president of trust and safety, has confirmed a number of security warnings for all smartphone users with the publication of its latest advisory.
To be honest, the timing really couldn’t have been better. And I’m not referring to the fact that the advisory included seasonal shopping scams to beware of, but rather that the uptick in the use of virtual private networks following the implementation of the Online Safety Act in the U.K., and state-based legislation in the U.S., effectively makes accessing online pornography harder. Faced with stiff age-validation obstacles, many users have turned to a VPN to get them past the porn barriers, which is where the Google warning comes into play.
ForbesHotels Hacker Alert Issued As ‘I Paid Twice’ Attacks ConfirmedBy Davey Winder
Threat actors are, Richardson warned, disseminating “malicious applications disguised as legitimate VPN services across a wide range of platforms to compromise user security and privacy.” While enterprise users are not exempt from such deception, consumer VPN brands and consumers themselves, especially those who like to consume porn, are likely an easier target. Especially, as Google has pointed out, the threat actors will deploy social engineering campaigns that use “sexually suggestive advertising.”
Install a malicious VPN app, a fake VPN service, and far from protecting your privacy, you leave yourself open to a myriad of malware and privacy threats. Sure, they might actually work and get you that access, generally very slow access indeed as they will piggy-back off of legitimate free VPN platforms, to the porn you are after, but at the same time deliver password-stealing malware and remote access trojans. These serve to “exfiltrate sensitive data such as browsing history, private messages, financial credentials and cryptocurrency wallet information,” Richardson confirmed.
I would advise readers to keep an eye on the advisories that are issued by the Google safety and security team, as they almost always contain a lot of common security sense.
ForbesGemini AI Can Read Your Gmail Now, Google Says — Meh!By Davey Winder
What Is A VPN And How Does It Work?
A consumer VPN is, put simply, an app that uses a platform that brings an encrypted tunnel to the connection party between your device and the site or service you are using on the internet. This VPN tunnel, according to the privacy experts at Proton, connects you first to the VPN server, which “handles all DNS queries and acts as an intermediary that sits between your device and the internet, routing your data to the correct destinations.“
This is what hides your actual IP address from the internet service provider and the website or service you are connecting to, instead showing as that of the VPN server instead. You can select from a number of different VPN servers, depending upon the platform, with some offering many individual servers in many different cities or countries around the world. It’s this ability to not only hide your IP address, but make it seem that you are connecting from a different location, that is used by VPN customers to bypass geo-location restrictions for services ranging from streaming sites to, yes, porn ones.
“The most important thing to evaluate when choosing a VPN provider is whether it is trustworthy,” Proton said, echoing the Google warning; “This is crucial, as your VPN provider handles your internet connection, meaning it can see the browsing history you’re trying to keep private.”
Business VPN technology works in the same way, but is employed for a different purpose than most consumer applications. They offer encrypted network connections for data transit across untrusted networks, allowing an organization that has offices in multiple remote locations to gain authenticated access to corporate systems.
The U.K. National Cyber Security Centre recommends that organizations use native operating system clients where possible, stating that third-party VPN clients can increase the risk that “some data may be sent outside the VPN,” as well as increasing the risk that “some out-of-date software will be in use,” which is always a security concern.
ForbesiPhone Users Warned — If You See This ‘Helpful’ Message, Do Not ReplyBy Davey Winder
When Is A VPN Attack Not A VPN Attack?
The answer to the question posed in the sub-heading above is, dear reader, when it’s a phishing attack that exploits VPN usage in order to scam the intended victim. As The Hacker News recently reported, North Korean threats actors have been observed using a targeted spear-phishing attack to distribute backdoor malware using a fake VPN invoice as the lure. Although this particular attack appears to be a one-off in terms of the intended victim, it is unlikely to be the only one that leverages VPN usage in order to get the user to open a malicious document or click a malicious link.
Here’s Why The Google VPN Warning Actually Matters
Of more concern to more people, of course, are the reports of real-world, potentially malicious VPN warnings. Take, for example, the Google Chrome VPN extension, with more than 1000,000 installs and a decent review rating, that was reported as “acting as spyware for five months,” after an update earlier this year. Or how about the fake Android VPN and streaming app that cybersecurity researchers discovered was acting as a side loader for sophisticated banking trojan malware.
Perhaps it should come as no great surprise that the biggest threat from malicious VPNs comes from those applications that are being offered free of charge. As the old saying goes, if the application is free, you’re not the customer; you’re the product. This isn’t a 100% watertight observation, however, as the majority of free apps, not matter what they are for, are perfectly harmless and genuine. The flip side of the mantra being that some paid for applications can also be malicious, either by way of a change of ownership or following an update or developer account compromise, so a subscription fee is no guarantee of safety. All that aside, free VPNs don’t exactly have the greatest of reputations for true privacy — including the servers where your data goes and who can see it. One investigation by a threat intelligence service found that a free VPN for PC users that was hosted on GitHub was actually a very nasty malware campaign. The VPN lure was designed to get the victim to fire up the software and actually execute a malware dropper by the name of launch.exe. The fake VPN campaign leveraged “process injection, DLL side-loading, and stealthy execution techniques to implant Lumma Stealer, a notorious information-stealing malware.” Notorious indeed, as I have warned readers of in numerous reports concerning stolen passwords and two-factor authentication session cookies. “Disguised as a helpful tool, the dropper uses multiple layers of obfuscation, in-memory execution, and process injection to evade detection,” the researchers said, warning of the malicious VPN application.
Only Download VPNs From Official Sources, Google Warns
Here’s the thing, though, consumer VPNs are not some privacy and security silver bullet. To suggest otherwise is, frankly, disingenuous. VPNs will not make you entirely anonymous online, even when hiding your IP address, because browser fingerprinting and other factors will likely come into play for the average user. VPNs are not security tools, and while some offer phishing protection and the like, they cannot replace a dedicated multi-layered defensive security strategy. Most people, most of the time, do not need to use a VPN. There, I’ve said it, and no doubt the VPN public reaction people will be emailing me within minutes. Sure, they have a use for getting around geo-location barriers, and, by implication, country-specific age restrictions, but the average user gains nothing from using one in a cafe or airport, as they are really not at risk from mythical Wi-Fi hackers in the first place. There, I’ve said that as well.
Beware rogue VPNs.
If you really must use a VPN, then follow the Google security advisory recommendations to “only download VPN apps from official sources, and check for apps with the VPN badge in Google Play.” Free offers and the sideloading of untrusted apps should, of course, be avoided. As should any VPN that requests permission to access contacts or private messages. As Cyberinsider quite rightly says, “using no VPN is better than using a bad VPN.” Whether the issue is with slow as treacle connections, leaky IP addresses, no real privacy because of where the service or its servers are located, or, worst of all, malicious activity, being VPN aware is a good thing. There are plenty of resources online to help in getting VPN selection right for you, and to avoid many of the pitfalls, including those provided by Cyberinsider itself.
