VPN bypass vulnerability affects Android Jelly Bean and KitKat, researchers say

The vulnerability could allow attackers to intercept traffic from Android devices despite an active VPN connection

A vulnerability in Android allows malicious applications to bypass an active VPN (virtual private network) connection and force traffic from the device through an attacker-controlled system where it can be intercepted, according to security researchers from Ben-Gurion University of the Negev in Israel.

Researchers from the university's Cyber Security Labs initially reported Jan. 17 that the vulnerability affects Android 4.3, known as Jelly Bean. However, upon further investigation they were also able to reproduce it on Android 4.4 KitKat, the latest major version of the mobile OS.

VPN technology is used to create an encrypted tunnel into a private network over the public Internet. Companies rely on VPN connections to allow employees to securely connect to corporate networks from remote locations, but it can also be used by others to protect communications from snooping when connected over insecure wireless networks since it allows accessing the Internet through the remote network's gateway.

A malicious app can exploit the newly identified Android vulnerability to bypass an active VPN connection and route all data communications from the device to a network address controlled by an attacker, the Ben-Gurion University researchers said Monday in a blog post. "These communications are captured in CLEAR TEXT (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure."

The malicious application doesn't require root privileges or VPN-specific permissions, they said Tuesday via email. Some permissions are needed, but nothing really special, they said. They declined to name the required permissions or to disclose any other technical details because it could expose the vulnerability and they are still waiting for Google to respond to their report.

The bypass works for the default VPN client included in Android and some third-party clients, but not all of them, they said, adding that they can't be more specific at the moment.

The vulnerability is related to a security issue the Ben-Gurion University researchers reported in December that they claim affects the security of Samsung KNOX, a security-hardened Android version designed to be used in enterprise environments. An app running in the nonsecure area of KNOX-based devices can exploit the issue to make network configuration changes that could allow attackers to intercept communications originating from the secure area, the researchers said at the time.

According to Samsung, the exploit uses legitimate Android network functions in an unintended way. The research does not demonstrate a vulnerability in Android or KNOX, but a classic man-in-the-middle (MitM) attack that occurs at any point on the network and can be mitigated by using VPN solutions or secure data transport protocols like SSL, the company said in a blog post Jan. 9.

Samsung's response prompted the researchers to investigate the issue further and led to the discovery of the VPN bypass.

"In the first finding we reported to Samsung the vulnerability details and an example exploit where an attacker can intercept, block, and alter data communications (non SSL/TLS and non VPN)," the researchers said in a blog post about the issue last Thursday. "We also stressed the point that other kind of attacks can take place via the same vulnerability. In our continued investigation of the vulnerability we found that an attacker can, in fact, do much more harm."

However, while the vulnerability can be used to bypass VPN connections, it cannot be used to inspect traffic that was already encrypted at the application layer.

For example, if an Android email app connects to an email server using SSL, its traffic will be encrypted regardless of whether it passes over a VPN connection or not. The same is true for connections to HTTPS-enabled websites or connections using other secure data transport protocols.

Unfortunately not all applications encrypt their traffic, so there's still a lot of sensitive information that can be captured by bypassing the VPN connection and performing a MitM attack.

Google did not immediately respond to a request for comment.

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlesecuritymobile securityencryptionspywareExploits / vulnerabilitiesprivacyBen-Gurion University of the NegevsamsungAndroid OS

More about GoogleSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place