It turned out that the VPN application 'Swing VPN' was quietly complicit in the DDoS attack by the user

It turned out that ' Swing VPN ', which is distributed as a VPN application, secretly conducts DDoS attacks where the user did not intend.

Swing VPN app is a DDOS botnet | Greek geek

According to Mr. Lecromee, who discovered it, the beginning of the matter was that Mr. Lecromee's friend complained that his mobile phone was sending requests to a specific website every few seconds. At first, lecromee thought he might have a virus, but after investigating for about two minutes, he found that all requests were from Swing VPN, which is installed on his phone as a VPN service. I was. The app is making a request to a specific website that a friend has never used, and the request payload contains specific data with the intent to send the request to an endpoint that demands a lot of that site's resources. was included.

Swing VPN sent a request to the following page on the website managed by the airline 'Turkmenistan Airlines' about every 10 seconds.

https://turkmenistanairlines.tm/tm/flights/search?_token=J8SxUX2Qwzltw4LiHsRHTCtfthgBYxf4hyI8oNly&search_type=internal&departPort=TAZ&arrivalPort=CRZ&tripType=rt&departDate=4%2F22%2F2023&arrivalDate=5%2F4%2F2023 &adult=1&child=0&infant=0&is_cship=on

From the uniqueness of this URL, lecromee thought, 'It's clear that this is not an error, and it's not pinging the site,' so he started investigating.

First, lecromee installed the application 'pcapdroid' for checking communication logs on his terminal and checked the operation of Swing VPN. You can check the video at that time by clicking the image below. We can see that Swing VPN is sending some kind of request to turkmenistanairlines.tm about every 10 seconds.

Further investigation reveals that Swing VPN is requesting an endpoint called 'tm/flights/search' that may be related to flight searches. “Flight search is a very intensive task that requires a lot of database and server resources, so we don’t want Swing VPN to stress server resources and prevent regular users from accessing it when they need it,” said lecromee. It is clear that there is,' he said.

Furthermore, 'You may think that a request once every 10 seconds is not a DDoS attack, but the problem lies in the number of attackers. As of early June 2023, Swing VPN is over 5 million times. If you have it installed, you might be doing half a million requests per second even if you divide it by 10. That's probably a lot for a small airline site written in PHP to handle. It is.'

Lecromee said, ``Swing VPN authors use various techniques to obfuscate and hide their malicious behavior. 'Out of pure greed, they use innocent users' phones as tools for their criminal activities,' he concludes. In addition, Swing VPN is distributed for Android version and iOS version, but it seems that only the Android version has a problem.