How using free VPNs could land you in a botnet

The masterminds behind the colossal botnet encompassing 19 million IP addresses used free VPN services as bait to lure unsuspecting users.

Hidden dangers of free VPN services

Regarding VPNs, a popular refrain these days goes something like: “Why bother paying for a VPN when there are tons of free ones out there?” But are free VPN services truly free? This post explains why thinking they are is misguided, and offers the optimal solution to protect your devices from malicious app.

First there was: “There’s no such thing as a free lunch” — dating back to the 1930s. In this century, that old adage was updated and adapted for the digital age: “If you’re not paying for the product, you are the product”. Today this new axiom applies to many internet services — but especially to VPNs. After all, maintaining a network of servers across the globe, and handling encrypted traffic for thousands, if not millions of users comes at a significant cost. And if the user isn’t explicitly asked to pay for such services, there’s bound to be a catch somewhere. And that “somewhere” was recently vividly demonstrated by a couple of major incidents…

Freebie VPN and a botnet of 19 million IP addresses

In May 2024, the FBI, together with law enforcement partners, dismantled a botnet known as 911 S5. This malicious network spanned 19 million unique IP addresses across over 190 countries worldwide, making it possibly the largest botnet ever created.

But what does a gargantuan botnet have to do with free VPNs? Quite a lot actually, since the creators of 911 S5 used several free VPN services to build their brainchild; namely: MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN. Users who installed these apps had their devices transformed into proxy servers channeling someone else’s traffic.

In turn, these proxy servers were used for various illicit activities by the real clients of the botnet — cybercriminals who paid the organizers of 911 S5 for access to it. As a result, users of these free VPN services became unwitting accomplices in a whole host of crimes — cyberattacks, money laundering, mass fraud, and much more — because their devices were sucked into the botnet without their knowledge.

911 S5 botnet price list

911 S5 botnet proxy rental prices Source

The 911 S5 botnet began its nefarious operations way back in May 2014. Disturbingly, the free VPN apps it was built upon had been circulating since 2011. In 2022, law enforcers managed to take it down for a while, but it resurfaced a mere few months later under a new alias: CloudRouter.

Finally, in May 2024, the FBI succeeded in not only dismantling the botnet infrastructure but also apprehending the masterminds, on which note the 911 S5 saga will likely end. During its operation, the botnet is estimated to have earned its creators a cool $99 million. As for the losses to victims — at least, just the confirmed ones — they amount to several billion dollars.

PaladinVPN website seized by the FBI

The FBI seized the website of PaladinVPN —one of the free VPN apps used to build the 911 S5 botnet

Infected VPN apps on Google Play

While the 911 S5 case is undoubtedly one of the largest botnet, it’s far from an isolated incident. Literally a couple of months before, in March 2024, a similar scheme was uncovered involving several dozen apps published on Google Play.

Though among them there were other apps too (such as alternative keyboards and launchers), free VPNs constituted the bulk of the infected ones. Here’s the full list:

  • Lite VPN
  • Byte Blade VPN
  • BlazeStride
  • FastFly VPN
  • FastFox VPN
  • FastLine VPN
  • Oko VPN
  • Quick Flow VPN
  • Sample VPN
  • Secure Thunder
  • ShineSecure VPN
  • SpeedSurf
  • SwiftShield VPN
  • TurboTrack VPN
  • TurboTunnel VPN
  • YellowFlash VPN
  • VPN Ultra
  • Run VPN
Oko VPN and Run VPN on Google Play

Oko VPN and Run VPN before being removed from Google Play Source

There were two modes of infection. Earlier versions of the apps utilized the ProxyLib library to transform devices on which the infected apps were installed into proxy servers. More recent versions employed an SDK called LumiApps, offering developers monetization by showing hidden pages on the device, but in reality doing the exact same thing — turning devices into proxy servers.

Just like in the previous case, the organizers of this malicious campaign sold access to proxy servers installed on user devices with the infected apps to other cybercriminals.

After the report was published, the infected VPN apps were, of course, removed from Google Play. However, they continue to circulate in other places; for example, they’re sometimes published in several different incarnations under different developer names in the popular alternative app store APKPure (which was infected with a Trojan a few years ago).

Oko VPN in the unofficial APKPure app store

Oko VPN, one of the infected VPN apps booted out of Google Play, exists in multiple versions on the alternative platform

How to stay protected from scammers

Botnets like these are sadly not uncommon, and as soon as law enforcement shuts one of them down, another immediately pops up in its place. To prevent your devices from becoming unwilling participants in a criminal network, install a reliable security solution on them, and steer clear of free apps that don’t come from a reputable vendor.

Tips

How to travel safely

Going on vacation? We’ve compiled a traveler’s guide to help you have an enjoyable safe time and completely get away from the routine.