Security of Cyber Security Labs of the Ben Gurion University researchers have found can intercept data between a user who works with Android 4.3 and makes use of VPN connections without encryption.
As discussed, they make use of a malicious application serving element of capture and redirection of the information that travels through the VPN as a man-in-the-middle attack.
This is obviously a security problem, but it’s not something that many users use daily. In fact, if someone connects to any type of VPN, in the majority of cases is encrypted via SSL/TLS connection. If the VPN connection is not encrypted, the captured data are fully exposed, if the connection is encrypted the attacker only would obtain the encrypted data.
In the words of the researchers:
“This vulnerability allows malicious applications to bypass the VPN configuration (not root permissions are required) and redirect to a different network address private communication”
This finding is based on a bug which already detected in the application Samsung Knox that he also suffered from this problem allowing a malicious user can intercept outbound data communications.
According to ZDNet, both Samsung and Google have refused to be a problemade security on Android though that they have admitted that researchers attack used legitimate functions of Android in a way not intended.