Android VPN’s with 500 Million+ Installs Pushing Adware to Android Users

The researcher discovered a four most popular VPN for Android that installed over 500 million users committing ad fraud and pushing usual ads in users device to generate revenue.

The four most popular Android VPN’s are  Free VPN Master, Secure VPN, and CM Security Applock AntiVirus that pushing the pop up ads even the apps running in the device background and also generate frequent HTTP request which makes phone overheated and drain the battery.

There are several adware incidents reported in the past few months, and it’s rapidly growing to exclusively target the Android users to generate millions of dollars revenue.

VPN products are used by hundreds of millions of users around the globe to ensure users privacy while roaming on the internet. At the same time, some VPN companies that listed above taking advantage of the user’s device accessibility and gain more fraudulent benefits.

Totally 500 000 000+ downloads are recorded in Play Store and all these 4 apps contain a code that indicates how ad frauds are usually behaving. There is no surprise that the app developers are from China.

Adware Behavior of 4 VPN Apps

Hotspot VPN 

A quite famous VPN with the name of Hotspot VPN – Free Unlimited Fast Proxy VPN caught for using the advertisement API from Google with Identified packages and code which indicate during the analysis that the can show advertisements anytime it wants.

During its malicious behavior, it accessing the various website following.

• adlog.flurry.com
• ads.mopub.com
• conf.daydayup.today
• doc.app.unitemagic.com
• fv.app.unitemagic.com
• play.google.com
• www.example.com
• www.facebook.com
• www.google.com
• www.yahoo.com
• adlog.flurry.com
• csi.gstatic.com/csi
• imasdk.googleapis.com
• pagead2.googlesyndication.com
• twitter.com
• www.mopub.com

It filling the complete screen in the phone even the application running in the background of the phone.

Free VPN Master 

This VPN app appears in Google play store as Fast secure proxy VPN, and very similarly serving the unusual ads in users device. it uses the Google and Facebook API advertisements.

According to Andy Michael from VPN Testing,  slight modifications in the name of packages in order to get a different hash for both apks due to the fact that once they were reversed they had the same code and were obfuscated with the same tool. 

Secure VPN

This VPN advertised with the name of Unlimited Free & Super VPN Proxy and it aggressively pop up the apps over the various apps including Whatsapp, chrome, and more.

Researchers found the list of classes that manage the process of getting and show ads which considers events, the render of the Ad, the request and how to show the Ad.

Security Master by Cheetah Mobile

With the name of App Lock & AntiVirus, the VPN Security Master is promoting ad and were found ads services such as from AirBnB, Facebook, GitHub, Google, unity3d, and others.

You can find the complete analysis here.

“This application takes it a step further. Instead of constantly showing the ads the app leverages its enormous user base and intrudes less often and randomly (See figure 2. byte code). It uses a more sophisticated approach by popping up the app instead and showing the ads immediately after you try to get back to the home screen.” Andy concluded.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Comments are closed.