Attackers reportedly use popular VPN apps as a backdoor to inject malware and gain remote control of infected devices.
This is the worrying finding coming from Google’s Managed Defense team, which shed light on how malicious actors employ SEO poisoning tactics to spread what is known as Playfulghost malware.
“The malware is bundled into popular apps like LetsVPN and distributed via SEO poisoning,” the expert wrote. “This involves manipulating search engine results so that the included software appears at the top of searches, making it look like a legitimate download.”
Phishing attacks, i.e. malicious emails that trick users into clicking on dangerous links to download malware, are another known distribution method.
The Dangers of the Playfulghost Backdoor
As the Google expert explains in a blog post, Playfulghost is “a backdoor that shares functionality with Gh0st RAT.” The latter is a remote administration tool known among the security community since 2008.
Playfulghost, however, has distinct traffic and encryption patterns that differentiate it from the known threat.
Attackers use phishing and SEO poisoning tactics to trick victims into downloading malicious software on their devices. In one case, the Google expert explains, the victim was tricked into opening an infected image file to run Playfulghost from a remote server.
Similarly, the SEO poisoning tactics involved using trojanized virtual private network (VPN) applications to download Playfulghost components from a remote server to victims’ devices (see GIF below).
Playfulghost is a particularly dangerous strain of malware that allows attackers to remotely execute a variety of activities once the device is infected. Data mining capabilities include keylogging, screen capture, and audio capture. Attackers can also perform file management activities such as opening, deleting, and writing new files, among other things.
You can read all the technical details of Playfulghost in Google’s blog post here.
The Playfulghost malware case is yet another reminder to remain vigilant when downloading new software.
Sticking to reputable names, like the best VPN apps, in a search engine is not enough to stay safe. Unfortunately, the same goes for app stores, as imitations of malicious apps can get past security checks.
I recommend consulting trusted sources, such as TechRadar, whenever possible and using the links on the page to download new software, whether it’s a new VPN, antivirus, or password management tool. Going directly to the provider’s official website is another way to ensure that your download is a legitimate and safe app.
If you notice your device acting strangely, I suggest you look for apps you don’t recognize and, if possible, run a malware removal service. You should also consider rebooting the system to eradicate the potential threat.
