June 23, 2017

Doctor Web specialists have found several potentially dangerous applications on Google Play that pose a threat mainly to Ukrainian users. These programs make it possible to avoid the block of the “VK” and “Odnoklassniki” websites, but do so in a dangerous way. They transmit via third-party servers unencrypted account logins and passwords and all the traffic resulting from surfing the social networks, which can lead to confidential data leaks.

During May 2017, in Ukraine, access to the services of several Russian companies was restricted by Presidential Decree. Among those companies were the social networks “VK” and “Odnoklassniki”. This has led to the growth in popularity of methods that allow people to bypass blocking measures—for example, the Tor browser, VPN services, and anonymizers. In addition, new programs offering similar functionality have started cropping up. However, by no means are all these latest programs safe.

Doctor Web specialists have found several applications on Google Play that allow people to work with the blocked “VK” and “Odnoklassniki” websites. To access these social networks, owners of Android devices are asked to input their login credentials; after that the programs log into the user’s account, bypassing blocking measures. Doctor Web security researchers have detected eight such programs, which are being distributed by these developers: JDX Studio, Soukaina Bousfiha, Zikolabs, Boubakri yassir, affzakanab, and simon faiz.

All these applications look exceedingly similar. They are installed on mobile devices as programs with the names «ВК В Украина», «ВК Украина», «ВК Украина 2», «ОК Украина», «Украина ОК», «ВК VPN Украина.», «ВК Украiна» and «ВК Украина VPN» and have similar shortcuts. At least 122,000 users have downloaded these applications, and each of them risks having their personal data leaked.

The problem is that to circumvent the blocking measures put in place by social media websites, this software redirects traffic through an online anonymizer. Anonymizers are special servers that process network requests and also hide information about a computer or a mobile device in order to bypass restrictions that prevent the visitation of blocked Internet resources. Such services are in demand, for example, among users of corporate networks where system administrators have restricted access to social network domains at the gateway level.

The unencrypted login credentials input by users are sent to an anonymizing server so there is nothing to prevent the server’s owners from using the information it receives for illegal purposes. For example, these server owners can log into a social network as a user and send messages without that user’s knowledge; they can add friends, join groups, read correspondence, go through photos, etc. The user doesn’t know that they have logged into the social network via a third-party domain because the applications don’t display an address bar. Any subsequent activity conducted on the “VK” and “Odnoklassniki” websites via this software is also unencrypted, which allows all actions performed in these social networks to be monitored.

Even assuming that an anonymizing server’s owners have taken such an irresponsible approach to protecting confidential data through sheer error or elementary ignorance of information security basics, there is no guarantee that cybercriminals won’t intercept the unencrypted network traffic.

As usage of the programs indicated could lead to a leak of personal information, Dr.Web Anti-virus detects them as the potentially dangerous applications Program.PWS.1. Doctor Web security researchers have informed Google that the aforementioned software could leave confidential data exposed; however, at the moment this news article was posted, the applications were still available for download.

To protect themselves, users of blocked online sources should avoid suspicious applications and services used to bypass access restrictions. There are safer solutions on the market that provide a sufficient level of safety. Among them are commercial and free VPN services (Virtual Network Provider or private virtual networks) and Proxy servers.

All known versions of Program.PWS.1 are successfully detected by Dr.Web for Android anti-virus products. Because these programs are potentially dangerous, Doctor Web recommends removing them and not using them until the developers make the necessary changes to the way they operate.

More about Program.PWS.1