Read update

Maintaining cybersecurity in our digital age feels like a relentless pursuit against evolving threats. As innovative security measures emerge, malware constantly adapts, as evidenced by Google’s battle with a deceptivescreen recording appon the Play Store. Even well-established security utilities, such aspassword managers, aren’t impervious to these challenges, becoming targets of hackers. Some users turn to aVPN to help keep their data private and secure, but now a new report suggests that one popular option has secretly been turning its users' phones into what’s effectively a malware botnet.

A security researcher going by the handle “lecromee” has uncovered evidence thatSwing VPN includes codeallowing its controller to functionally operate app clients as a botnet capable of Distributed Denial of Service (DDoS) attacks (viaHacker News). Swing VPN is stillactively listed in the Play Storeat the time of publication, with a strong 4.4 rating and over 5 million users.

Lecromee made the discovery when he started investigating why his friend’s mobile phone was sending requests to a specific website every few seconds. These requests appeared to be originating from the Swing VPN application installed on his friend’s mobile device. To start, lecromee loaded up his favoritescreen mirroring softwarescrcpy for documentation and the network monitor PCAPdroid to see what’s going on.

It turns out that the app was making requests to the Turkmenistan Airlines website approximately every 10 seconds, via a uniquely crafted URL. While a request every ten seconds might not seem like a lot, when many phones are doing it at once, it can become a problem. Swing VPN operates in the command and control fashion of a botnet by pulling lists of URLs from control sites and directly sending requests to them, so while Turkmenistan may have been the target that time, new victims are always waiting.

What’s maybe most impressive, in a sick way, is just how well the authors of Swing VPN were able to use various techniques to obfuscate the app’s true purpose and hide its malicious behavior, scoring it a prominent spot in the Play Store. For now, that’s where it remains — but we have a feeling it won’t be there for much longer, if these allegations hold up.

UPDATE: 2025-08-17 04:15 EST BY MANUEL VONAU

Google has removed the app from the Play Store

A Google spokesperson reached out to us with the following statement:

The app was removed from Google Play on June 22 and the developer has been banned. Users are also protected byGoogle Play Protect, which warns users of apps known to exhibit malicious behavior on Android devices with Google Play Services, even when those apps come from other sources.