Maintaining cybersecurity in our digital age feels like a relentless pursuit against evolving threats. As innovative security measures emerge, malware constantly adapts, as evidenced by Google’s battle with a deceptive screen recording app on the Play Store. Even well-established security utilities, such as password managers, aren’t impervious to these challenges, becoming targets of hackers. Some users turn to a VPN to help keep their data private and secure, but now a new report suggests that one popular option has secretly been turning its users’ phones into what’s effectively a malware botnet.

A security researcher going by the handle “lecromee” has uncovered evidence that Swing VPN includes code allowing its controller to functionally operate app clients as a botnet capable of Distributed Denial of Service (DDoS) attacks (via Hacker News). Swing VPN is still actively listed in the Play Store at the time of publication, with a strong 4.4 rating and over 5 million users.

Lecromee made the discovery when he started investigating why his friend’s mobile phone was sending requests to a specific website every few seconds. These requests appeared to be originating from the Swing VPN application installed on his friend’s mobile device. To start, lecromee loaded up his favorite screen mirroring software scrcpy for documentation and the network monitor PCAPdroid to see what’s going on.

It turns out that the app was making requests to the Turkmenistan Airlines website approximately every 10 seconds, via a uniquely crafted URL. While a request every ten seconds might not seem like a lot, when many phones are doing it at once, it can become a problem. Swing VPN operates in the command and control fashion of a botnet by pulling lists of URLs from control sites and directly sending requests to them, so while Turkmenistan may have been the target that time, new victims are always waiting.

What’s maybe most impressive, in a sick way, is just how well the authors of Swing VPN were able to use various techniques to obfuscate the app’s true purpose and hide its malicious behavior, scoring it a prominent spot in the Play Store. For now, that’s where it remains — but we have a feeling it won’t be there for much longer, if these allegations hold up.