Skip to content
/ Android-VPN Public

A fake Maastricht University VPN application for Android 14+ developed exclusively for educational purposes.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Irench1k/Android-VPN

BranchesTags

Repository files navigation

Android Fake VPN - Data Exfiltration PoC

⚠️ DISCLAIMER: This project is for educational and research purposes only. ⚠️

This application was developed as part of a security project to demonstrate a practical attack that breaks the Confidentiality principle of the CIA triad (Confidentiality, Integrity, Accessibility). All components were tested in a controlled, isolated lab environment. Do not use this application or its concepts for any malicious or illegal activities. The author is not responsible for any misuse of this information.

📖 Project Overview

This repository contains the source code for a malicious Android application disguised as a VPN client. The goal of this project was to demonstrate a complete attack chain, from social engineering to data exfiltration, targeting an Android 14 user.

The attack successfully breaks Confidentiality by gaining unauthorized access to and stealing all files from the victim's device storage.

Example of the Attack

DNS Spoofing: that's how maastrichtuniversity.com looked like when we opened it for the first time.

image

Application: that's how application looks like on the device.

image

Result: at the result we could steel victim's files, contacts, photos, and information about the device.

image

⛓️ The Attack Chain

The attack scenario simulates a user connecting to a compromised public Wi-Fi network.

  1. The Lure (Evil Twin AP): An attacker sets up a malicious Wi-Fi Access Point (AP) with an enticing name, such as MaastrichtUniversity-FreeWiFi. This is known as an "Evil Twin" attack.

  2. The Trap (DNS Spoofing & Phishing): When the victim connects to the evil AP and tries to navigate to a common website (e.g., maastrichtuniversity.com), a DNS spoofing attack redirects them to a fake, attacker-controlled webpage.

  3. Social Engineering: The fake webpage mimics a legitimate-looking portal but displays a fraudulent error message: "Cannot open the website. For your security, please download and use our official university VPN." This message includes a button to download the "VPN" application (.apk file).

  4. The Payload (Malicious Android App): The downloaded "VPN" is a trojan. It has a simple, convincing UI with a single "Connect" button.

  5. Execution & Exfiltration: Upon installation and granting necessary permissions (e.g., for file access), the victim opens the app and clicks "Connect". This action triggers the malicious payload in the background, which:

    • Recursively scans the entire user-accessible storage (/sdcard/).
    • Collects all files (documents, pictures, videos, etc.).
    • Exfiltrates the data by sending it to an attacker-controlled Command & Control (C2) server.

📱 The Android Fake VPN Application

This application is the core payload of the attack.

Key Features

  • Deceptive User Interface: A clean and simple UI designed to look like a legitimate, one-click VPN service. This lowers the victim's suspicion.
  • Permission Request: On first launch (or when needed on modern Android versions), the app requests the MANAGE_EXTERNAL_STORAGE permission. This is a powerful permission required to access all files, and the app justifies it under the pretense of "securing all device traffic."
  • Background Service Trigger: The "Connect" button is the trigger. It doesn't establish a VPN connection. Instead, it starts a background Service or WorkManager job to ensure the data exfiltration process continues even if the user closes the app.
  • Recursive File Enumeration: The background service systematically traverses all directories and subdirectories accessible to the application.
  • Data Exfiltration: Files are sent to a remote server via HTTP POST requests. To avoid detection and handle large files, they can be sent one by one or batched and compressed into a ZIP archive before uploading.

🔬 Lab Setup & Reproduction

To reproduce this demonstration in a secure and isolated lab environment:

  1. C2 Server:

    • Set up a simple web server (e.g., using Python Flask or a PHP script) that can accept POST requests with file data and save them to a directory.

  2. Android Application:

    • Clone this repository.
    • Open the project in Android Studio.
    • Navigate to the network configuration file/class and change the placeholder C2 server URL to your server's IP address.
    • Build the unsigned APK (Build > Build Bundle(s) / APK(s) > Build APK(s)).

  3. Phishing & Network Attack:

    • Set up a computer with a wireless adapter that supports AP mode.
    • Use tools like hostapd (to create the AP), dnsmasq (for DHCP and DNS spoofing), and a web server to host the phishing page.
    • Configure dnsmasq to resolve maastrichtuniversity.com (or your chosen domain) to the IP of your phishing web server.

  4. Execution:

    • Connect a test Android device to your malicious AP.
    • Navigate to the target domain in the browser.
    • Download and install the malicious APK.
    • Launch the app, grant permissions, and click "Connect".
    • Monitor the C2 server's directory to see the exfiltrated files arrive.

License

This project is licensed under the MIT License. See the LICENSE file for details.

About

A fake Maastricht University VPN application for Android 14+ developed exclusively for educational purposes.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages