Google warns billions of smartphone users of VPN threat.
getty
Google is on something of a security advisory blitz at the moment. From warnings that users must restart their Chrome browser following confirmation of a bunch of high-severity vulnerabilities, and another aimed at iPhone users after research suggested Android devices are safer. However, one of the most critical, in the light of the current political and technical climate, doesn’t concern hackers exploiting Android vulnerabilities or threats actors employing dangerous calendar invites in attacks, but rather the use of a VPN. Here’s what all smartphone users need to know and do.
ForbesGoogle Issues New Gmail, Messages And Play Attacks WarningBy Davey WinderThese VPNs Deliver Dangerous Malware Payloads, Including Password-Stealers, Google Warns
As I recently reported, Laurie Richardson, Google’s vice president of trust and safety, has confirmed a number of security warnings for all smartphone users with the publication of its latest advisory.
To be honest, the timing really couldn’t have been better. And I’m not referring to the fact that the advisory included seasonal shopping scams to beware of, but rather that the uptick in the use of virtual private networks following the implementation of the Online Safety Act in the U.K., and state-based legislation in the U.S., effectively makes accessing online pornography harder. Faced with stiff age-validation obstacles, many users have turned to a VPN to get them past the porn barriers, which is where the Google warning comes into play.
ForbesiPhone Users Warned — If You See This ‘Helpful’ Message, Do Not ReplyBy Davey Winder
Threat actors are, Richardson warned, disseminating “malicious applications disguised as legitimate VPN services across a wide range of platforms to compromise user security and privacy.” While enterprise users are not exempt from such deception, consumer VPN brands and consumers themselves, especially those who like to consume porn, are likely an easier target. Especially, as Google has pointed out, the threat actors will deploy social engineering campaigns that use “sexually suggestive advertising.”
Install a malicious VPN app, a fake VPN service, and far from protecting your privacy, you leave yourself open to a myriad of malware and privacy threats. Sure, they might actually work and get you that access, generally very slow access indeed as they will piggy-back off of legitimate free VPN platforms, to the porn you are after, but at the same time deliver password-stealing malware and remote access trojans. These serve to “exfiltrate sensitive data such as browsing history, private messages, financial credentials and cryptocurrency wallet information,” Richardson confirmed.
ForbesAll Smartphone Users Must Type This Code Now — Thank Me LaterBy Davey Winder
Here’s the thing, though, consumer VPNs are not some privacy and security silver bullet. To suggest otherwise is, frankly, disingenuous. VPNs will not make you entirely anonymous online, even when hiding your IP address, because browser fingerprinting and other factors will likely come into play for the average user. VPNs are not security tools, and while some offer phishing protection and the like, they cannot replace a dedicated multi-layered defensive security strategy. Most people, most of the time, do not need to use a VPN. There, I’ve said it, and no doubt the VPN public reaction people will be emailing me within minutes. Sure, they have a use for getting around geo-location barriers, and, by implication, country-specific age restrictions, but the average user gains nothing from using one in a cafe or airport, as they are really not at risk from mythical Wi-Fi hackers in the first place. There, I’ve said that as well.
If you really must use a VPN, then follow the Google security advisory recommendations to “only download VPN apps from official sources, and check for apps with the VPN badge in Google Play.” Free offers and the sideloading of untrusted apps should, of course, be avoided. As should any VPN that requests permission to access contacts or private messages.