In a recent development, the IAS Threat Lab uncovered an elaborate fraud scheme in a virtual private network (VPN) app targeting Android phones called Oko VPN. Developed by VIP Internet Security LTD., the app was labelled as a free VPN service that anonymizes a user’s web traffic and made available in the Google Play Store in July 2022, the company stated.
According to the company, Oko VPN was hijacking IP addresses, turning users’ phones into fraud-relaying devices. Any Android phone that installed the app unwittingly donated its IP address for use by Oko VPN to commit ad fraud. Furthermore, the fraudsters exploited the user’s IP address to mask the origin of traffic to send fake ad impressions to video streaming platforms. This IP hijacking scheme is referred to as “residential proxying,” the company stated.
Additionally, this app also posed a risk for illicit material/traffic going through users’ home networks, making it possible to make further attacks on users’ home networks – which emphasized the need to remove the app from the Google Play Store immediately.
Google Play Store team conducted its own investigation in March 2023 and confirmed IAS Threat Lab’s findings.Google has removed the app and enforced Google Play Protect, which warns users and prompts them to uninstall the malicious app.
Oko VPN experienced exponential growth, with more than a million users at the time of its takedown. According to the company’s Threat Lab team, Oko VPN generated approximately 100 million fraudulent impressions per month at the time of its removal from the Google Play Store. The team also estimated that $10 million spent advertising was wasted on this scheme.