I have been doing research on suspicious Android VPNs for a while now. This jammed my Samsung Galaxy S5 so full of applications that I would need to remove a few to install a new one.
It was a regular morning at the office. I was conducting network analysis with my Samsung in front of a work desk when a popup and an annoying children’s’ tune got my attention. I usually close those ads as soon as they interrupt my workflow, but this one really struck me…
You see… I wasn’t using any third-party app while it happened.
I was just browsing my media files, a place where you wouldn’t expect to get slammed with an ad.
A few seconds later I heard the water steam escaping the kettle so I locked the phone screen with a habitual hand gesture and slowly walked to the kitchen to get coffee.
Now as I had recently been reenergized I walked back to the office corner and dove into a detective mode. Further. The popup appeared again. While using Popup Ad Detector the cause became clear: 4 VPNs were the source of the problem: HotSpotVPN, Free VPN Master, Secure VPN, and CM Security Applock AntiVirus.
Ads are supposedly designed to appear on pages when users use the app.
However, in case of outside ad fraud ads pop up while apps are running in the background or even outside the app environment (e.g. ad views placed on the home screen and covering app icons that users must reach to start new apps). As a user, not only do I think it’s treacherous for a privacy app to abruptly intrude my phone screen, but the constant HTTP requests keep the phone CPU heated and drain phone battery.
- Total downloads: 500 000 000+
- 4 Android apps contain codes that indicate how ad frauds behave
- 2 Applications have nearly identical code
- All app developers addresses are based in China.
Hotspot VPN by HotspotVPN 2019
Name: Hotspot VPN – Free Unlimited Fast Proxy VPN
Developer: HotspotVPN 2019
Address: Block 13, 28 Cheung Sha Wan Road, Kowloon, Hong Kong
Package Name: com.free.unblock.proxy.hotspot.vpn [Play Store]
File Size: 10.6 MB
SHA1 Hash: 49b84657a16aaa3a4cd68e327f5ca69603911080
Version: 1.0.6 (7)
Downloads: 500 000+
The application was downloaded from the Play Store and reversed. The files that were found are shown in Figure 1. – AndroidManifest where all the permissions, the classes.dex file that contains the code, and other files like images, layout specifications, and so on are specified.
The most important file is classes.dex because based on it one can analyze the way the application works.
The apk (Android file format) was reversed in order to extract the code. Identified packages are found in Figure 2. It is worth mentioning that the application code was obfuscated, though it was possible to identify some behaviors.
The whole code was analyzed and we found that the applications use the advertisement API from Google, This means that it can show advertisements anytime it wants. Figure 3 shows the um.a.a.class code where the application uses the Token for advertisement.
Other code in Figure 4 shows that the application was using the Facebook API advertisement as well.
Malicious behavior in the traffic
GET /edgedl/release2/SwRmBLZ4gN8_137/137_all_MX_optimizationHints.crx3 HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONE TOUCH 5036A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36
Accept-Encoding: gzip, deflate
HTTP/1.1 302 Found
Date: Thu, 06 Jun 2019 18:52:28 GMT
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Content-Type: text/html; charset=UTF-8
<HTML><HEAD><meta http-equiv=”content-type” content=”text/html;charset=utf-8″>
The document has moved
Following the URL
The application downloads a file with the data in Figure 4, but it is not a common file. The magic number 4372 does not exist.
We found that in parts of the code it takes the dimensions of the screen for some purpose, as shown in Figure 6.
In other parts of the code we found that the previous function was used for specific purposes, such as when pressing a specific key in a particular context, and when some behaviors were not identified as is shown in the function final void b in Figure 6.
The following screenshots show some advertisements that fill the screen while the application is running in the background (connection is turned off):
Free VPN Master by Freemaster 2019
Name: Free VPN Master – Fast secure proxy VPN
Address: Unit 04-05, 16th Floor, The Broadway No. 54-62 Lockhart Road, Wanchai, Hong Kong
Package Name: com.free.fast.master.unblock.proxy.vpn [Play Store]
File Size: 10.6 MB
SHA1 Hash: e12f8e3e49f471a168697bc982006ee04d17ed7e
Version: 2.2.5 (55)
Downloads: 1 000 000+
The application was downloaded from the Play Store and reversed. The files that were found are shown in Figure 9. – AndroidManifest where all the permissions, the classes.dex file that contains the code, and other files like images, layout specifications, and so on are specified.
As previously, the most important file to study is classes.dex as it shows how the application works.
The apk was reversed to extract the code. Identified packages are found in Figure 10.
We found that the applications use the advertisement API from Google. Figure 11 shows the um.a.a.class code where the application uses the Token for advertisement.
Analysis of the second application found that both apks had the same structure and code, but the hash was not the same. The package com.a.a.a.a.a (Figure 11) had an ‘a’ more. It means that com.a.a.a.a.a.a was normal, and the hash was not the same even when the whole code was the same.
We think that both applications are the same with slight modifications in the name of packages in order to get a different hash for both apks due to the fact that once they were reversed they had the same code and were obfuscated with the same tool. In contrast, the names of providers on Google Play are different, although it does not mean by different people.
Besides, we found code that uses Google and Facebook API advertisements.
Here’s a screen-recording of their behavior:
Secure VPN by SEC VPN
Name: Secure VPN – Unlimited Free & Super VPN Proxy
Developer: SEC VPN
Address: Sea Side Road, Ma Liu Shui, Hong Kong
Downloads: 1 000 000+
A list of packages that contain the string http:// is:
As it can be seen most of them are Ads, on the other hand the packages that contain classes including the “Ads” word are most of them in the android.facebook.ads, however there are others that look interesting due they do not contain any URL. Ac.class fb
Once the apk was reversed it was possible to identify a set of packages related with Ads as Figure 1 shows.
In com.facebook.ads.internal.ac.class was found a code that catches some activities like clicks, dismissed, displayed and other activities. It is in a package called “Ads”, then it can be inferred that is used for monitoring and displaying Ads based on user activities.
In the com.google.ads is found the code that manages the Ads using the google API, as can be seen in Figure 14, some parts of codes shows that are made request in order to obtain the Ad.
Also was found a list of classes that manage the process of getting and show ads as can be seen in Figure 15. It considers events, the render of the Ad, the request and how to show the Ad. If each file is analyzed it can be found that validates some features of the application, for example, the internet access as is shown in the screenshot. Also can be found some listeners that even correlates the ids obtained from the API that manages each ID assigned to the Ad, called AdUnitId.
Some Ads from mopub seems to show different ads based on specific properties like country, region, and so on as can be seen in Figure 16.
In the com.c.a.c.class was found a code that can read and write logs in the sdcard, however, does not exist evidence that is used for writing and reading just logs as is shown in Figure.
Behavior visual representation:
Security Master by Cheetah Mobile (AppLock & AntiVirus)
Name: Security Master – Antivirus, VPN, AppLock, Booster
Developer: Cheetah Mobile (AppLock & AntiVirus)
Address: Hui Tong Times Square NO. 8, Yaojiayuan S. Rd., Beijing 100123, P.R.C
Downloads: 500 000 000+
In the file cm.security.main.h.class we identified a list of commented byte codes as is shown in Figure 1. Some of them are URLs with interesting properties described in the following images.
Figure 20 shows a URL in code 627 that was accessed using Mozilla.
The b() function is called from different lines. Although the function is overloaded, just the function that receives an integer is the one that returns a byte code. Figure 2.1 shows a function onPageSelected that validates the state of the application flow in order to show or not show an ad.
Some buttons execute some actions, but also some ads, as can be seen in Figure 20.2.
The MenuController is a provider that makes it easy to control a Menu, and as in Figure 20.3, ads are also executed when some properties are set.
Figure 21 shows the URL with the code 627 that takes us to an announcement.
The URL with the code 653 takes us to another advertisement shown in Figure 22.
Also was found in the file com.facebook.ads.internal.b.q.class code that requests an announcement from Facebook as is shown in Figure 23.
If the URL is directly accessed through a web browser as shown in Figure 24, the URL manages ads.
In the package com were found ads services such as from AirBnB, Facebook, GitHub, Google, unity3d, and others.
This application takes it a step further. Instead of constantly showing the ads the app leverages its enormous user base and intrudes less often and randomly (See figure 2. byte code). It uses a more sophisticated approach by popping up the app instead and showing the ads immediately after you try to get back to the home screen.
Spam, slow server speeds and privacy concerns are only a few of the reasons why Free VPNs don’t work:
Research and writing by: Andy Michael
Related Article: Paid Vs Free VPN