Popular VPN provider Swing VPN is leveraging its massive Android user base to create a botnet and launch distributed denial-of-service (DDoS) attacks, according to a cybersecurity researcher.
The anonymous researcher, identified as “lecromee,” made this startling revelation on June 4. In a lengthy blog post, he demonstrated how the Swing VPN Android app is used to launch DDoS attacks against several websites. The targeted sites include the official Turkmenistan Airlines website as well as Science.gov, a website that provides access to U.S. government scientific papers and research.
Swing VPN commandeers devices to create a sophisticated botnet without users’ knowledge or consent, lecromee explained. The app does this even when users choose not to accept its privacy policy.
“The act of opening the app is enough for its DDOS actions,” lecromee said.
The Swing VPN Android app, developed by Limestone Software Solutions, had over five million downloads on Google’s Play Store when lecromee’s report was published. At the time of writing, the app appears to have been removed from the Play Store.
A Botnet in Disguise
Lecromee said he started looking into Swing VPN after a friend said she noticed her device sending repeated requests to the Turkmenistan Airlines website, although she had never visited the site.
Further analysis revealed that these requests were aimed at resource-heavy tasks, putting a significant strain on the targeted servers. According to lecromee, “it is clear that the goal is to stress [the] server out of resources so that normal users won’t be able to access it when needed.”
With Swing VPN boasting millions of users, such DDoS attacks would have a dramatic impact.
Lecromee’s technical analysis of Swing VPN’s operations showed the clever use of custom native libraries to cloak its functions and complicate detection. Also, the app’s configurations are stored on personal servers, a few GitHub repositories and Google Drive accounts, suggesting a calculated attempt to hide its malicious activities.
In an email to VPNOverview, lecromee said it was challenging to look behind the curtain and investigate the strange requests from the Swing VPN app. “Everything was obfuscated and encrypted and [the] app creators did everything they knew to make reverse engineering hard,” he said.
Malicious Apps on Google Play Store
Despite Google’s efforts to prevent malicious apps from getting on the Play Store, they seem to find a way through. In April, Google revealed that it blocked 1.43 million dangerous apps from getting published on the Play Store in 2022. But that has done little to stem the tide.
Lecromee called on Google to take action against the people behind the Swing VPN app and send a warning message to users.
“Currently the app is being used to harm other businesses but it could easily be turned into an app that harms actual users with one update. So I hope Google does something about it,” he said.
If you have Swing VPN installed on your device, we recommend uninstalling it immediately. Read our Android malware removal guide to learn how to scrub malicious apps from your device and protect your system from such threats.
It’s essential to research any app you wish to install before getting it. For trustworthy alternatives to Swing VPN, check out our list of the best free VPNs for Android.
