In PrivateVPN’s case, not only was the fake update downloaded, it was also installed without prompting the user in any way.
Betternet fared slightly better by asking the user’s permission, but any user would grant that permission having no idea that the update wasn’t genuine.
Of the other 18 VPN services tested, the researchers found that Torguard and CyberGghost’s connections could be intercepted and remained connected (to their respective VPN servers) while being intercepted. The did not download the fake updates, however.
Hotspot Shield (owned by the same company as Betternet) and Hide.me also allowed their internet connection to be intercepted but stopped their connections to the VPN server.
Update: To be clear, the investigation was only checking to see if each Windows VPN client could be tricked into downloading fake updates, and in no cases was the actual connection between the user and VPN server intercepted. And because Hotspot Shield, Hide.me, CyberGhost and Torguard didn't even download the fake update, the researchers did not consider these VPN services to have any vulnerabilities even though their connections could be intercepted.
NordVPN, ExpressVPN, Surfshark, PureVPN, Ivacy, Tunnel Bear, IPVanish, VyprVPN - all services we recommend in our roundup of the best VPN services - and the others tested didn’t allow their connections to be intercepted, and weren’t vulnerable to this kind of attack.
It’s worth noting that both PrivateVPN and Betternet were notified of the issues and the apps have now been updated and the flaws addressed, but it’s still worrying that they existed in the first place.
If you’re wondering how you can avoid getting hacked in this way, there isn’t really anything you can do in terms of the VPN app. Malicious updates like this can only be sent on open public Wi-Fi, which is when you’re likely to be using a VPN (if you follow our advice).
However, this is another reason to install trusted antivirus software on your device such as Norton 360 Deluxe, Bitdefender Total Security or ESET Internet Security which will detect and block malware hiding in fake updates.
If you’re using one of these VPN apps, then be sure to get the latest version on your own private Wi-Fi connection, as that is extremely difficult to hack.
And if you are very security conscious, consider using a VPN service without an app, such as Hidden24. This will remove some features, such as a kill switch, but it will prevent any security flaws in an app from putting you at risk.