Productivity Tools

Swing VPN: A wolf in sheep’s clothing – Decrypting the hidden DDoS threat in your phone

By Steven, on August 4, 2023, updated on July 10, 2023 - 2 min read

In a world where privacy and security are the talk of the tech town, VPNs (Virtual Private Networks) are often thought of as the saviors.

But what happens when one of these trusted guardians turns evil? The story unfolds with Swing VPN, a well-reputed application turned rogue and its suspicious activities that could potentially jeopardize millions of users

Here’s everything you need to know about the recent events concerning Swing VPN, and how it managed to pull off a stunning deception.

Digging the dirt: The Swing VPN scandal unearthed

A security researcher, Lecromee, has uncovered the scandalous behavior of Swing VPN.

Fascinatingly, it all started when an acquaintance’s phone began sending out requests to a specific website every few seconds. This strange conduct was traced back to Swing VPN, an application installed on the device.

Surprisingly, the application was found repeatedly making requests every 10 seconds to a specially crafted URL on Turkmenistan Airlines’ website.

It’s been revealed that Swing VPN acted as a botnet, extracting lists of URLs from control sites and sending out requests to them.


The fog of deception: How Swing VPN maintained its innocent facade?

In spite of its malicious behavior, Swing VPN managed to maintain a rating of 4.4 on Play Store with over 5 million users.

This perfect camouflage kept it hidden in plain sight, fooling even the most discerning of users.

The application, developed by Limestone Software Solutions, was available on both Android and iOS devices, but the version under scrutiny is the Android one, suspected of harboring a malicious intent and being capable of launching DDoS attacks.

Cracking the cipher: The analysis of Swing VPN’s ominous operations

Lecromee used several tools such as Pcapdroid and Mitmproxy to decrypt the operations and intentions of Swing VPN.

The application extracted the real IP address of the user, sent requests to search engines to ascertain the IP address, and highlighted necessary configuration files to download.

Once identified, the application sent requests for these files from personal servers, GitHub repositories or Google Drive accounts. It then connected to an advertising network, loaded ads.

Fly in the ointment: The specific target of Swing VPN

The intriguing part of this discovery was Swing VPN’s specific target – a website managed by Turkmenistan Airlines. The application was found straining the server resources of the airline’s site, obstructing regular user access.

Power in numbers: The sheer scale of Swing VPN’s threat

As of June 2023, Swing VPN had over 5 million installations just on Android. This massive user base, unknowingly turned into botnet hosts, could potentially generate substantial DDoS traffic, presenting a significant threat to targeted websites.


Loose ends: Criticism and unanswered questions

Criticism arises towards Google for enabling such malevolent applications to exploit its users due to relatively weak security measures.

However, these allegations are yet to be independently verified, and the tech community stands by for additional updates on this unnerving matter.