Google: Attackers Exploit VPN Apps to Spread Malware

Google’s Managed Defense team has uncovered a new wave of cyberattacks that exploit popular VPN applications to distribute a malware named “Playfulghost,” a dangerous backdoor capable of granting attackers full remote access to infected devices.

According to Google’s recent findings published in a blog post, malicious actors use search engine optimization (SEO) poisoning or poisoning of search results by creating malicious websites acting otherwise and applying SEO practices to the website as a tactic to manipulate search engine results, making compromised VPN applications like LetsVPN appear as legitimate downloads.

“The malware is bundled with popular applications, like LetsVPN, and distributed through SEO poisoning,” a Google expert said in the blog post. This strategy allows the attackers to trick unsuspecting users into downloading malware-laden versions of trusted apps.
In addition to SEO poisoning, phishing remains a major distribution method for Playfulghost. These attacks often involve deceptive emails containing malicious links or attachments designed to lure users into executing the malware.

Playfulghost, which shares some functionality with the infamous Gh0st RAT malware, has unique traffic patterns and encryption features that distinguish it from its predecessor. Once installed, it provides attackers with the ability to execute a variety of malicious activities on infected devices.

Dangers for infected devices include keylogging, taking screenshots, capturing audio, and even managing files by creating, deleting, or editing them.

Google’s Managed Defense team highlighted one example where a victim was tricked into opening an infected image file, triggering the malware to execute from a remote server. In another case, attackers used trojanized VPN apps to download Playfulghost components directly onto victims’ devices. (GFB)