Samsung's response prompted the researchers to investigate the issue further and led to the discovery of the VPN bypass.
"In the first finding we reported to Samsung the vulnerability details and an example exploit where an attacker can intercept, block, and alter data communications (non SSL/TLS and non VPN)," the researchers said in a blog post about the issue last Thursday. "We also stressed the point that other kind of attacks can take place via the same vulnerability. In our continued investigation of the vulnerability we found that an attacker can, in fact, do much more harm."
However, while the vulnerability can be used to bypass VPN connections, it cannot be used to inspect traffic that was already encrypted at the application layer.
For example, if an Android email app connects to an email server using SSL, its traffic will be encrypted regardless of whether it passes over a VPN connection or not. The same is true for connections to HTTPS-enabled websites or connections using other secure data transport protocols.
Unfortunately not all applications encrypt their traffic, so there's still a lot of sensitive information that can be captured by bypassing the VPN connection and performing a MitM attack.
Google did not immediately respond to a request for comment.
Sign up for CIO Asia eNewsletters.