Welcome back to Trial by Wire! My name is Denton, and this is part 2 of talking about an article about devices getting hijacked to hide others' Internet activity. We're going to talk a little more about the technical aspect of that this episode and what we can learn from it. Let's get started!
As a reminder, here's the article we're looking at. The link to it will be in the show notes again:
Thousands of phones and routers swept up into proxy service, unbeknownst to users
Last time, we talked about why people might want to limit the amount of activity tracked online, but we didn’t talk about how. One way is to just not do things online. The less you use social media, the less it can learn about your preferences. However, more and more is being done on the Internet, so that option is fading. What you can do (and what the people in this article have done) is redirection. If websites think your web traffic is coming from somewhere else, they'll find it more difficult to figure out where you actually are.
This is done legitimately through a service called a Virtual Private Network, or a VPN. VPNs act as a middle man between end users and websites. This allows the user to appear to be coming from a different location when they access the Internet. Interestingly, one of the most popular uses of VPNs is to bypass region-locked content (for example, to access Japanese-only content on Netflix from inside the United States), which is...ethically interesting, to say the least. The main reason that I use a VPN is that it provides an extra layer of encryption to my traffic. This means that anyone who may sit in the middle between me and the website (for example, my ISP) has a harder time seeing what I am doing.
VPNs are a cool idea because of this extra layer of security. However, you now have to trust that your middle man isn't watching what you're doing, even as they're hiding what you're doing from other websites. They can also make your connections slower since all of your browsing has to now go through a middle man instead of directly to the website, and some sites have decided to block them. You can try one out if you like. If you do, check for two things. First, make sure that the VPN provider guarantees that your connection is encrypted, and look for end-to-end encryption. Second, make sure that the VPN is "logless", meaning they don't keep logs of the sites that you visit. Both of these things will help protect your privacy when you use a VPN.
The article discusses two instances of malware related to this idea of a VPN. The first is about a service that's similar to a VPN. In fact, the attackers are offering it as a paid service to people, just like VPNs. However, the "middle man", in this case, could be your device and you wouldn't know it. The software is something called "malware", software that is designed to work against your device and do things that you don't expect it to do. In this case, it attaches to Internet routers, or network devices that direct traffic between clients and servers, and uses them to obscure Internet traffic by other users. The service is called "Faceless", and it's sold on online crime forums as a way of browsing the Internet without being tracked. Basically, if you own a router that's infected, criminals could be using it as a middle man to make it look to the servers like their Internet requests are coming from you instead of them, and you wouldn't know it. The article actually notes that one of the selling points of this service for criminals is that VPNs who were claiming not to track users were actually tracking them. It's probably being used to launch cyberattacks, according to the article.
Malware can also hit end user devices like your phone, though. The article notes a second instance of a network consisting of user-owned devices. In this case, the users downloaded an app. The initial app advertised itself as a VPN on the Google Play store. After it was removed from the store, someone made a tool for software developers with the code from the VPN app. When the developers used the tool, 28 other apps got the bad code. While the users were using the app, the app was using the users right back; in this case, it added them to a network of devices that the makers of the network used to commit "ad fraud." Basically, the attackers fooled advertisers into thinking that users were looking at their ads to make money off of them illegitimately.
At this point, you, number one, may be confused about all this, but number two, may be wondering how to protect your own devices from becoming part of a criminal network. If you take a look at the article, it actually has some recommendations for you. Let's break them down.
First, always be careful what apps you download from the Internet. Make sure that you trust both the place where you're getting it, the app distributor, and the person you're getting it from, the app publisher. Most of the apps that had the bad VPN code in them didn't actually come from the Google Play Store; they came from somewhere else. Some were advertised as "mods", or modified version of applications. Essentially, someone took an application made by a developer, added some stuff to it, and republished it as a mod. In this case, the modification was adding the malware, unfortunately.
To be clear, mods are not necessarily dangerous. Modding is a popular hobby online, particularly in gaming communities. For example, a YouTuber published a mod of the game Super Mario Odyssey, a game for one player, to support multiple players at once, and it became a way for YouTube channels to collaborate and play together. However, the idea behind mods is to release a modified version of the application. The original developer of the application probably didn't authorize the mods, may not want somebody distributing mods of their application, and the mod probably doesn't have the same security guarantees as the original application.
Like I said last time, not every developer has your best interests at heart. Even if an app isn't modded, it may market itself as useful but do things in the background that you don’t want. Cryptojacking, for example, is the practice of mining cryptocurrency on your device without you knowing. If you choose to download an app onto your phone, computer, or other device, make sure that you trust the person or company who made it.
Second, always keep your devices up-to-date. I like the description of cybersecurity as a cat-and-mouse game: hackers find holes in software, security professionals patch those holes, hackers find more holes, and so on. Mainstream operating systems like Windows and MacOS are big targets for hackers, so any mistakes made by the developers will be discovered. Microsoft and Apple are constantly publishing updates, so make sure you have those set up to automatically install so you don't even have to think about them. The one caveat to this is that you might hang back when a new major version gets released (for example, iOS 18 or Windows 11) since that may have new vulnerabilities in it that the developers haven't patched yet. Unless you're really eager, let it settle in with a few updates first while they work out all of those bugs.
A lot of the routers in the first example from the article had reached what's called "end-of-life". Developers can't keep providing updates for a device forever. Once Apple says your iPhone is too old for the new iOS version, it's probably not getting any more security patches. So, any vulnerabilities, or security holes, on there for hackers to access are there to stay. Now, this itself raises lots of questions, like "why do I have to get a new phone so often?" The concept of "planned obsolescence", or companies ensuring that your device becomes unusable after a certain amount of time, isn't fun for users, and that's an ethical discussion in and of itself. However, you're putting yourself at risk if you're connecting a device to the Internet that no longer receives security updates. No software is completely free of vulnerabilities.
Although this isn't addressed in the article, a third point is to be careful what devices you let onto your home network. Even if you do a good job of keeping your devices up-to-date, not everyone else will, and any device from "the outside" could be carrying malware. Now, you can't always keep the unclean devices off your Wi-Fi, and younger people will probably think it's rude if you don't let them on your Wi-Fi. What I do is have a "guest network" that guests can use. That way, all the guest devices are on one network, and all of my devices are on another network. It's not a perfect solution since malware can still jump from the network to my router. However, it's a step in the right direction that may save you some heartache later. If people complain, just send them a link to this episode.
Malware is difficult, if not impossible to completely avoid. However, like with phishing attacks, hackers go for the low-hanging fruit first. If you keep your devices squeaky-clean by not installing unknown applications and keeping them up-to-date, you're removing yourself from that tier of users that's most likely to be hacked. Sometimes, that's enough.
Your homework for today is to check on that! Open up the settings on your phone or computer and check for software updates. Make sure that your device is all good, and encourage your friends and family to do the same (especially if they're using your Internet). Think about that, and I'll see you next time!
Hey, thanks for listening! Subscribe for more if you like what you heard. If you’re on YouTube, give us a like and a comment, or rate and review us on your favorite podcast feed. It helps out a lot! If you want to talk to us, you can find us on X (formerly known as Twitter) or on Instagram at @trialbywireshow or on Facebook at facebook.com/trialbywirepodcast. You can also send me an email at trialbywireshow@gmail.com. See you soon!
