Free VPN App with 5 Million Downloads Acts as DDoS Botnet

A researcher claims that Swing VPN, an app downloaded 5 million times via the Google Play store alone, is a DDoS botnet that uses people’s devices to launch debilitating attacks on websites and online services.

DDoS (distributed denial of service) is an attack involving generating and directing a large number of garbage requests toward the target, overwhelming the server by overflowing its capacity and rendering it unable to serve legitimate users or visitors.

Typically, DDoS attacks launched by botnets are financially motivated, as the operators of these tools rent their firepower to interested buyers motivated to disrupt services and create outages on specific entities.

Uncovering a DDoS App

The anonymous researcher says he discovered that Swing VPN operates as a DDoS botnet after he examined a friend’s phone and figured that it inexplicably sends requests to an external address (turkmenistanairlines.tm) every few seconds.

Next, he used traffic capture tools to examine the requests, and found that these requests continued to take place every 10 seconds even when the user closed the app. This practically means that the botnet has an estimated firepower of about 500,000 RPS (requests per second). This is enough to bring down most targets, including the regional airline site that was attacked at the time of the investigation.

While simulating a Swing VPN installation on an Android sandbox on his computer, the analyst found that the VPN tool disregards the user’s privacy policy acceptance and moves straight to downloading its DDoS configurations from private GitHub repositories. At the same time, it uploads the user’s IP address and basic hardware data to the publisher’s Google Drive endpoint. This all happens while the user is still reading the privacy policy, not having accepted anything.

The analyst decompiled the Swing VPN APK version 1.8.4 (latest) and managed to decrypt a Python script that contained hardcoded information about various resources the app is instructed to use, such as GitHub URLs, Google Drive locations, and the addresses of several hosts. The script also contained hardcoded credentials for accessing these private repositories.

Swing VPN’s DDoS module uses some of these resources as a C2 (command and control) server, the analyst claims, sending its configuration and determining the current targets. By retrieving the configuration file at the time, the researcher saw a list of Turkmenistan government domains, so it is assumed that the app was launching an attack against state websites.

While none of the above constitutes proof that Swing VPN is involved in any malicious or illegal activity, the researcher’s findings are worrying, to say the least, and what is presented is very suspicious for a VPN app.

Users of Swing VPN have rated the app with 4.4 out of 5.0 on Google Play. Those users might experience a slight performance drop or device overheating due to generating DDoS requests, however, this is unlikely to be noticed on modern, powerful smartphones, especially at the rate of one request every 10 seconds.

RestorePrivacy has contacted Swing VPN asking for a comment on the allegations made by the anonymous researcher, but we have not received a response by the time of publishing.

Related Articles:

• New Prometei Botnet Version Infects Devices in 155 Countries
• Multi-Hop and Double VPNs
• CyberGhost VPN for Windows Vulnerable to Command Injection
• Flaw in Telegram Gives Attackers Access to macOS Camera
• VPNs for Android