botnets
Regarding VPNs, a popular refrain these days goes something like: “Why bother paying for a VPN when there are tons of free ones out there?” But are free VPN services truly free? This post explains why thinking they are is misguided, and offers the optimal solution to protect your devices from malicious app.
First there was: “There’s no such thing as a free lunch” — dating back to the 1930s. In this century, that old adage was updated and adapted for the digital age: “If you’re not paying for the product, you are the product”. Today this new axiom applies to many internet services — but especially to VPNs. After all, maintaining a network of servers across the globe, and handling encrypted traffic for thousands, if not millions of users comes at a significant cost. And if the user isn’t explicitly asked to pay for such services, there’s bound to be a catch somewhere. And that “somewhere” was recently vividly demonstrated by a couple of major incidents…
Freebie VPN and a botnet of 19 million IP addresses
In May 2024, the FBI, together with law enforcement partners, dismantled a botnet known as 911 S5. This malicious network spanned 19 million unique IP addresses across over 190 countries worldwide, making it possibly the largest botnet ever created.
But what does a gargantuan botnet have to do with free VPNs? Quite a lot actually, since the creators of 911 S5 used several free VPN services to build their brainchild; namely: MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN. Users who installed these apps had their devices transformed into proxy servers channeling someone else’s traffic.
In turn, these proxy servers were used for various illicit activities by the real clients of the botnet — cybercriminals who paid the organizers of 911 S5 for access to it. As a result, users of these free VPN services became unwitting accomplices in a whole host of crimes — cyberattacks, money laundering, mass fraud, and much more — because their devices were sucked into the botnet without their knowledge.
911 S5 botnet proxy rental prices Source
The 911 S5 botnet began its nefarious operations way back in May 2014. Disturbingly, the free VPN apps it was built upon had been circulating since 2011. In 2022, law enforcers managed to take it down for a while, but it resurfaced a mere few months later under a new alias: CloudRouter.
Finally, in May 2024, the FBI succeeded in not only dismantling the botnet infrastructure but also apprehending the masterminds, on which note the 911 S5 saga will likely end. During its operation, the botnet is estimated to have earned its creators a cool $99 million. As for the losses to victims — at least, just the confirmed ones — they amount to several billion dollars.
The FBI seized the website of PaladinVPN —one of the free VPN apps used to build the 911 S5 botnet
Infected VPN apps on Google Play
While the 911 S5 case is undoubtedly one of the largest botnet, it’s far from an isolated incident. Literally a couple of months before, in March 2024, a similar scheme was uncovered involving several dozen apps published on Google Play.
Though among them there were other apps too (such as alternative keyboards and launchers), free VPNs constituted the bulk of the infected ones. Here’s the full list:
- Lite VPN
- Byte Blade VPN
- BlazeStride
- FastFly VPN
- FastFox VPN
- FastLine VPN
- Oko VPN
- Quick Flow VPN
- Sample VPN
- Secure Thunder
- ShineSecure VPN
- SpeedSurf
- SwiftShield VPN
- TurboTrack VPN
- TurboTunnel VPN
- YellowFlash VPN
- VPN Ultra
- Run VPN
Oko VPN and Run VPN before being removed from Google Play Source
There were two modes of infection. Earlier versions of the apps utilized the ProxyLib library to transform devices on which the infected apps were installed into proxy servers. More recent versions employed an SDK called LumiApps, offering developers monetization by showing hidden pages on the device, but in reality doing the exact same thing — turning devices into proxy servers.
Just like in the previous case, the organizers of this malicious campaign sold access to proxy servers installed on user devices with the infected apps to other cybercriminals.
After the report was published, the infected VPN apps were, of course, removed from Google Play. However, they continue to circulate in other places; for example, they’re sometimes published in several different incarnations under different developer names in the popular alternative app store APKPure (which was infected with a Trojan a few years ago).
Oko VPN, one of the infected VPN apps booted out of Google Play, exists in multiple versions on the alternative platform
How to stay protected from scammers
Botnets like these are sadly not uncommon, and as soon as law enforcement shuts one of them down, another immediately pops up in its place. To prevent your devices from becoming unwilling participants in a criminal network, install a reliable security solution on them, and steer clear of free apps that don’t come from a reputable vendor.
Tips