A free Chinese VPN service has been found guilty of exposing over 5.7 billion data entries. As per the investigation, Airplane Accelerates apps – whose Chinese version counts over 3,000 reviews on the App Store only – leaked a staggering number of users’ personal information, including user IDs, IP addresses, domain names, and timestamps. Being the free Chinese VPN app available for Windows, macOS, iOS, and Android, researchers believe that at least tens or perhaps even hundreds of thousands of users in China could have been affected.
The Leaked Data Can be Used to Track the Users of This Free Chinese VPN
“This leak is significant because the leaked data could be used to de-anonymize and track the users of this free Chinese VPN,” said Aras Nazarovas, the Cybernews researcher who led the investigation. “Analysis of the Android app also shows that it is capable of functioning as spyware, and has remote code execution capabilities.” Researchers found a worrying high volume of permission requests executing from the Android VPN app. These range from accessing camera and audio recording, to modifying contacts, external storage and even installing new software.
“While Antivirus apps do not detect this app as malicious, our analysis of it raises some significant red flags,” explained Nazarovas. Moreover, despite purporting to be a VPN service offered free of charge, the app in fact runs on the less secure HTTPS. “Depending on how they implemented it, it could be that the app would only encrypt web traffic, not traffic from the operating system (OS) or other apps,” explained Nazarovas.
The Amount of Permission Requests Made by the App Confirm Data Collection
“The amount of permissions the app requests suggests that some of the information it collects was stored in a different database than the one we found,” said Nazarovas, clarifying that the Chinese-language website that distributes the apps can be found at vp2n.cc while the domain name apnetworksapp.com hosts the app’s contact details and location. While the company website also features a privacy policy, it is not clear from the wording or context whether it applies specifically to the free Chinese VPN app or another service.
Read more: India’s Shipyaari Exposes Personal Data of its Customers
