Attackers are reportedly using popular VPN applications as a backdoor to inject malware and gain remote control of infected devices.
This is the worrying finding coming from Google's Managed Defense team, which shed light on how malicious actors employ SEO poisoning tactics to spread what's known as Playfulghost malware.
"The malware is bundled with popular applications, like LetsVPN, and distributed through SEO poisoning," wrote the expert. "This involves manipulating search engine results to make the bundled software appear at the top of searches, making it seem like a legitimate download."
Phishing attacks, meaning malicious emails that trick users into clicking on dangerous links to download malware, are another known distribution method.
The dangers of the Playfulghost backdoor
As Google's expert explains in a blog post, Playfulghost is "a backdoor that shares functionality with Gh0st RAT." The latter is a remote administration tool that has been known among the security community since 2008.
Playfulghost, however, has distinct traffic patterns and encryption that differentiate it from the known threat.
Attackers use both phishing and SEO poisoning tactics to trick victims into downloading the malicious software on their devices. In one case, the Google expert explains, the victim was tricked into opening an infected image file to execute Playfulghost from a remote server.
Similarly, SEO poisoning tactics involved using trojanized virtual private network (VPN) apps to download Playfulghost components from a remote server into the victims' devices (see the GIF below).
Playfulghost is a particularly dangerous strain of malware that enables attackers to remotely execute a range of activities once the device is infected. Data mining capabilities include keylogging, screenshot capture, and audio capture. Attackers can also carry on file management activities like opening, deleting, and writing new files, among other things.
You can read all of Playfulghost's technical details in Google's blog post here.
The Playfulghost malware case is yet another reminder to remain on alert when downloading new software.
Sticking to reputable names, like the best VPN applications, on a search engine isn't enough to stay safe. The same goes for App Stores, unfortunately, as copycat malicious applications may slip through the security checks.
I recommend going through reputable sources, like TechRadar, whenever possible and using the on-page links to download new software – whether this is a new VPN, antivirus, or password manager tool. Heading directly to the provider's official website is another way to ensure your download is a legitimate and secure application.
If you notice your device acting oddly, I suggest looking for applications you don't recognize and running a malware removal service if possible. You should also consider a system reboot to eradicate the potential threat.
