The Swing VPN app, which is available on the official Google Play Store under the name Swing VPN – Fast VPN Proxy, has more than 5 million downloads.
Swing VPN is a legitimate VPN app developed for Android and iOS systems by Limestone Software Solutions. However, according to researcher Lecromee, the Android version of this app is a DDoS botnet and allegedly harbours malicious intent as it can carry out distributed denial of service attacks (DDoS attacks).
It all started when Lecromee’s friend informed him about observing an unusual request pattern on his cellphone. The phone continually sent requests to a specific website every 10 seconds. The app allegedly used different tactics to hide its malicious actions to keep the attack undetected.
Initially, Lecromee blamed the issue on malware or a virus. However, further investigation revealed that all requests were sent from the Swing VPN app, which his friend had installed on his phone. The requests were sent to the same site that Lecromee’s friend had never accessed or visited, which made the researcher suspicious of the app.
To investigate further, Lecromee installed the Pcapdroid app to check his terminal’s log communication and inspect Swing VPN’s operations. At this point, Lecromee was uncertain whether the Swing app had a malicious agenda. He observed that the Swing VPN app sent some requests to a site.
To determine the actual intention of the app, he used mitmproxy to capture the sent data. He identified that the app figures out the real IP address right after installation, language selection, and accepting the Privacy Policy. It then sends a request to Bing and Google with the query “What is my IP?” Lecromee also learned that the app parses the returned HTML and identifies IPs from the responses, mainly to find the config files to upload.
After identifying its required config type, the app sends requests to two different config files stored in the developer’s personal Google Drive account. These files are requested from specific personal servers, several GitHub repositories, or Google Drive accounts. The app concludes its initialization process by connecting to an ad network to load ads and finally stores data in a local cache before proceeding to a DDoS site.
This is the page where Swing VPN sent the request. The website is managed by Turkmenistan Airlines (turkmenistanairlines.tm).
The researcher was surprised that the request payload contained specific data and that the endpoint of the requests was also extracting many of the site’s resources by sending one request every 10 seconds.
“Since flight search is a quite intensive task that requires a lot of databases and server resources, it is clear that the goal is to stress the server out of resources so that normal users won’t be able to access it when needed,” Lecromee said in a technical blog post.
As of June 2023, the app had over 5 million installations on Android, and splitting it by ten yields a potential of 500k RPS. That’s impressive for DDoSing. Lecromee criticized Google for having a weak security system that allows malicious apps to exploit unsuspecting users’ devices.
Hackread, however, cannot confirm this claim for now. We will update this story with the latest information about the Swing app soon.