These Free VPNs, Proxies Used By Criminals To Hijack Users' Connections

If you installed Galleon VPN or Radish VPN, your PC may have been used as a staging device for cybercrime. According to Google, a group of free VPNs and proxy services were part of a larger network used by 550+ hacking groups to obscure their internet traffic.

The IPIDEA proxy network offered customers access to over 60 million IP addresses, letting buyers access the web as local users from various parts of the globe. But Google says IPIDEA didn’t secure the IP addresses legitimately; instead, it sourced them from numerous users who were likely unaware their devices had become a node in IPIDEA’s network.

Google’s investigation found that several free VPN and proxy brands were feeding into IPIDEA, including DoorVPN, Galleon VPN, Radish VPN, and Aman VPN.

(Credit: Internet Archive)

Google also examined three of the VPN clients and found that while they did seem to provide VPN functionality, there was no clear disclosure about turning users’ PCs into proxy nodes.

google list

(Credit: Google)

To secure more IP addresses, the creators of IPIDEA also published software development kits (SDKs) for mobile apps, seemingly offering them as a way to help developers create revenue. The SDKs were embedded inside at least 600 mobile apps. Devices that installed the software then became “exit nodes” for IPIDEA’s proxy network.

“By routing traffic through an array of consumer devices all over the world, attackers can mask their malicious activity by hijacking these IP addresses. This generates significant challenges for network defenders to detect and block malicious activities,” Google said about the threat.

Get Our Best Stories!

Stay Safe With the Latest Security News and Updates

SecurityWatch Newsletter Image

Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.

By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.

Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

This also means that hackers who used IPIDEA could access users’ private devices on the same network. In addition, Google found evidence the hackers would try to compromise a user device by exploiting security gaps.

Google told The Wall Street Journal that IPIDEA appears to be a Chinese company. IPIDEA users are also from China, as well as Russia, North Korea, and Iran.

Many are botnet operators. “This includes the BadBox2.0 botnet we took legal action against last year, and the Aisuru and Kimwolf botnets more recently. We also observe IPIDEA being leveraged by a vast array of espionage, crime, and information operations threat actors,” Google says.

Recommended by Our Editors

The good news is that Google has disrupted the IPIDEA proxy network by taking legal action to seize the domains IPIDEA used for its scheme, including the command and control domains and websites that promoted IPIDEA’s products and SDKs. This has “reduce[d] the available pool of devices for the proxy operators by millions,” Google says, including 9 million Android devices, the company tells the Journal.

“We’ve shared our findings with industry partners to enable them to take action as well,” according to Google, which says internet infrastructure provider Cloudflare has also been cracking down.

Despite the takedown, Google says the proxy service market deserves more scrutiny. “Consumers should be extremely wary of applications that offer payment in exchange for ‘unused bandwidth’ or ‘sharing your internet.’ These applications are primary ways for illicit proxy networks to grow, and could open security vulnerabilities on the device’s home network,” the company adds.