That is not what the SDK was doing. The actual code in the SDK protects against this (simplified to take less space):
if (addr.isSiteLocalAddress() || addr.isLoopbackAddress()) {
LogUtils.e("PopaTunnelAsyncThread", "Hacking? The Host Resolved Ip is " + addr + " on tunnel id:" + tunnelId);
throw new IllegalArgumentException("Hacking? The tunnel host resolved ip is internal");
}
Local and loopback addresses like 10.0.0.0, 172.16.0.0, 192.168.0.0, and 127.0.0.0 do not work. It will not connect to people's private file servers on their network.Also users might become part (victim?) of a police investigation because of illegal actions that seem to originate from their local residential connection.
So still good to take down such backdoors. Would be nice to go after the botnet operators as well...