Swing VPN app is a DDoS botnet

So is hola vpn: <a href="https:&#x2F;&#x2F;www.theregister.com&#x2F;2015&#x2F;06&#x2F;10&#x2F;hola_gets_holes_poked_in_client_lulzsec&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.theregister.com&#x2F;2015&#x2F;06&#x2F;10&#x2F;hola_gets_holes_poked...</a><p>At this point one must assume that any &quot;free&quot; vpn software is free because it uses its install base for DDoS &#x2F; other traffic abuse.

Great writeup!<p>&gt; I have to give props for Swing VPN teams creativity to bypass security measure of Apple appstore and Google PlayStore but it is sad that Apple&#x2F;Google security systems does not have some automated ways to detect these types of actions.<p>It&#x27;s a tricky problem. The amount of attack traffic from an infected device is negligible and very little of it is visible to the operating system due to TLS. It&#x27;s also presumably intermittent (there&#x27;s no point in keeping an attack ongoing forever; you stop when the site has found a way to defend itself), so just running the app for a while as part of validating an update might not show any suspicious behavior. The suspicious part is in the configurations downloaded from the CnC servers, not packaged with the app, so static analysis won&#x27;t help.<p>The only reliable option for catching these proactively thatI can think of would be to use some kind of aggregate telemetry from all the app installations combined, but that&#x27;d be incredibly scary both in terms of privacy and the blast radius when something goes wrong.<p>&gt; Currently in the beginning of June 2023 it has over 5 million install base on android<p>That&#x27;s not really a reliable number. It&#x27;s more like &quot;the number of distinct users who had this app installed at some point&quot;. AFAIK it doesn&#x27;t get decremented when somebody uninstalls the app, and doesn&#x27;t go up when somebody installs it for a second time on a new device. Those factors might cancel out, might not.

&gt; After app startup, language selection and acceptance of privacy policy the app starts to figure out ‘real IP address’ by doing a request to both google and bing with query “what+is+my+ip”. My guess is that the app just parses the returned HTML and figures IP from those responses.<p>Aren&#x27;t there free APIs to get your IP address, like ifconfig.me? This sounds like more work but probably doesn&#x27;t have any chance of running into rate limits.

&gt; we probably can assume that this app is trying to attack some government sites of Turkmenistan. It is hard for me to imagine why would anybody do that<p>I find this very odd that they would target those websites. What would be the gain of taking down those websites _for anyone_. I doubt that the reason is political.<p>P.S. Turkmenistan is probably the worst country when it comes to free internet. Almost all IP addresses are blocked, with very few websites (mostly google-owned) being reachable. The entire population is desperate for VPN (preferrably free). They are not educated about malwares, or anything about security, so they will download anything that promises free internet.

When I worked in price crawling there were rumors some proxy vendors leveraged extensions and VPNs (supposedly with fine-print consent) on residential computers to workaround crawl blockers. My guess is that prompted Chrome Webstore to narrow functionality of an extension to only one purpose.<p>These DDoS tools appear to take things to the next level, and an undeniably blackhat direction.

A big reason for obligatory codesigning and developer accounts for mobile apps has been that we would know _who_ is doing malicious things, right? So... are there lawsuits already? Will someone go to jail? Or at the very least, has the developer been booted from Google Play? (No, not as of now; I reported the app, but I doubt that is a usable venue for cases like this.)

&gt; doing a request to both google and bing with query “what+is+my+ip”. My guess is that the app just parses the returned HTML and figures IP from those responses.<p>lol

Excellent sleuthing! I sometimes use Proxyman to sniff the traffic that my phone or computer is using – it&#x27;s fascinating seeing what and how different apps communicate with their backend servers. I haven&#x27;t come across anything quite so nefarious, but its interesting all the same.

This activity was identified on Android. It doesn&#x27;t occur on iOS, because on that platform, VPNs are made resident by the operating system exclusively. Providers&#x27; apps are just a VPN configuration tool.

I&#x27;m not sure if it&#x27;s appropriate to give unsolicited suggestions on the writing, but I believe the author could improve the conciseness. It reads a bit verbose in places where certain information is repeated multiple times, such as the mention of configurations were retrieved from GitHub and Google Drive sites.

VPNs in general tend to be super shady.<p>Many vendors surreptitiously use user nodes as exit nodes and route traffic in suspect ways.<p>VPN software stack is surely a major target for state and non-state actors to monitor and exploit.

Hilarious conclusion from the author. It&#x27;s almost certainly not the case that the owners of this service are using it to &#x27;DDoS&#x27; targets, rather it&#x27;s much more likely they are using your device to host a proxy server and then selling access to some &#x27;residential proxy reseller&#x27;.<p>On the other side of that, some random Joe has probably purchased access to a set of these &#x27;residential proxies&#x27; and is using them to scrape flight data from the airline site the article author noticed, with some of those requests being sent over the author&#x27;s connection.<p>Many &#x27;free vpn&#x27; and &#x27;free proxy&#x27; apps engage in this behavior, you may proxy your requests via their connection, but they also proxy their requests via yours, generally reselling that access to someone who finds your IP address to be of value to them due to the fact that it&#x27;s not a datacenter address.<p>It&#x27;s certainly questionable to straight up unethical either way, especially so if the service doesn&#x27;t disclose to you that they&#x27;re doing that, but on the other hand I find the author&#x27;s DDoS conclusion to be so contrived and out of touch with reality that I had to write this comment.

Unfortunately Google makes it extremely hard to report this sort of Abuse to them, offering no free-form input to tell them what the issue with the application is.

Yeah, this and countless others that nobody&#x27;s ever heard of except through a YouTube advert making questionable claims with a questionable definition of &#x27;VPN&#x27;.<p>(To answer the inevitable: Mullvad and Proton are the legitimate offerings that spring to mind.)

for ppl wanting a vpn which does not do this. at the monthly rate things like nord charge, u can rent a server, install openvpn amd be free of this stuff. ofcourse, the server is yours and tracible to you, but still it has all the other benefits which i think normal vpn users crave. (visit plaintext sites over insecure wifi but no eves on the line etc.). its fairly easy to set up and definitely you wont be part of a traffic redirection network, for whatever purposes the redirection is. maybe u can connect ur friends too and be a good samartian :)

&gt; new: Some people wrote me saying that the DDOS is not happening on ios devices. Just did a quick check and you guys are right. iOS app is using different way to do VPN and also does not do anything suspicious. I should appologize to you and to Appstore team for my lazy extrapolation without actually checking it. Unfortunately I don’t have much time to fix the article right now, so please just ignore anything ios related below this line.<p>FTA:<p>&gt; I have to give props for Swing VPN teams creativity to bypass security measure of Apple appstore and Google PlayStore but it is sad that Apple&#x2F;Google security systems does not have some automated ways to detect these types of actions.<p>You couldn&#x27;t rewrite it to just be:<p>I have to give props for Swing VPN teams creativity to bypass security measures of the Google PlayStore but it is sad that Google security systems does not have some automated ways to detect these types of actions. (Note: A previous version mention the Apple App Store but the iOS version does not appear to participate in these DDOS attacks)<p>The explanation about not fixing the article is longer that the entire paragraph that only needed 22 characters removed (and potentially a sentence added). I don&#x27;t get it.

All free VPNs == malware<p>All paid VPNs == honeypots

The app in question is still on the play store. I just installed and quickly uninstalled it so I could leave it at 1-star review.<p><a href="https:&#x2F;&#x2F;play.google.com&#x2F;store&#x2F;apps&#x2F;details?id=com.switchvpn.app">https:&#x2F;&#x2F;play.google.com&#x2F;store&#x2F;apps&#x2F;details?id=com.switchvpn....</a>

I love this sort of thing. I&#x27;d love to get into this sort of research. No idea where to start to either acquire the skills or once acquired target the right systems&#x2F;apps. I can still dream though.<p>Any pointers on where you&#x27;d start would be appreciated though.

Most markets have several products&#x2F;services worthy of attention. But in the “consumer VPN” space I think <a href="https:&#x2F;&#x2F;mullvad.net&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;mullvad.net&#x2F;</a> is the only non-shady clear principles player there is? Even established names like Proton seem to partially swindle you with buzzwords like servers inside Swiss mountains. None of that with Mullvad: clear about what they do, what they don’t do, and how they do what they do.

I hadn&#x27;t really thought about it before, but it makes sense, upon reflection, that the temptation to appropriate mostly idle consumer computing resources for something is too great to ignore.

Installing a client always opens up these risks. That is why I am building a clientless tunneling service ( well technically you bring your own client ) - <a href="https:&#x2F;&#x2F;pinggy.io" rel="nofollow noreferrer">https:&#x2F;&#x2F;pinggy.io</a> which is similar to ngrok but you can connect using your own ssh client such as openssh.

nice findings, firstly, thanks for looking into it and sharing. i wonder how they have 3 million installbase. do you think there are some (unwitting) influencers, streamers etc. paid to promote this? 3 million is plenty, especially since there are a lot of heavily promoted vpns out there bidding for installs

free vpn == click highjacking on affiliate networks. but botnets will work too.

Not only one website, but multiple websites to abuse and DDoS them

Maybe not ddos just pushing up view counts for money

Isn&#x27;t it scraping rather than DDoSing?

No free lunch

Written by AI

All free VPNs are malware

Don&#x27;t leave us hanging! Whodunit?

DoS should be legalized IMO... If a company cannot mitigate a DoS or DDoS attack and stay profitable, it&#x27;s their own fault. Their fault for not designing their software properly and their fault for accumulating too many enemies. Probably it would bring down the whole DNS system but it&#x27;s about time we replaced it with something better and more decentralized anyway.<p>DDoS is just freedom of speech. Just some people have louder voices than others which is not a foreign concept to the rest of us. So long as the VPN (or whatever) operator mentions it in their terms of service (e.g. if they rely on user resources), it&#x27;s fine IMO.<p>There needs to be an incentive for companies to implement good quality software and to not be evil (not to make enemies) and legalizing DDoS might help create such an incentive.