Google has issued a new warning about the rise of malicious VPN apps and extensions, calling them a growing tactic used by cybercriminals to harvest sensitive data.
In its latest Fraud and Scams Advisory, Google says scammers are increasingly disguising malware as VPN services, and users looking for free or quick privacy tools are most at risk.
What exactly is Google addressing?
In its advisory, Google explains how threat actors are distributing fake VPN apps across multiple platforms. These apps frequently impersonate trusted VPN brands, use misleading advertising, or exploit trending events, including geopolitical tensions, to trick users into installing them.
Once installed, these apps can deploy serious malware, including info-stealers, remote access trojans, and banking trojans. Google notes that attackers can use this access to scrape everything from browsing history and private messages to financial credentials and even cryptocurrency wallet data.
Google says Android and Google Play use machine-learning systems to detect harmful apps, and users can enable Google Play Protect for an added layer of real-time protection.
A new enhanced fraud-protection system has also been developed to block the installation of high-risk apps when users attempt to sideload them from browsers or messaging apps.
What makes a VPN malicious?
Google highlights several red flags, many of which align with issues we've documented in a recent investigation.
These include:
- Requesting unnecessary permissions, such as access to contacts or messages
- Using suggestive ads or manipulative promotions to entice users into downloading them
- Tracking user activity or selling data to third parties
- Hiding vague or misleading privacy policies
- Having a lack of audits or any verifiable information about the company
- Delivering malware under the guise of "secure browsing"
Tom's Guide has previously reported that by 2025, up to 80% of free VPNs may embed tracking, and data-selling practices of free VPN apps could hit 60%.
Fake reviews are also a growing problem, potentially comprising over a third of VPN app reviews, making unsafe tools appear trustworthy.
This is why it's crucial for consumers to understand the signs of fake VPN apps, so they can avoid falling victim to them.
What else does Google's advisory cover?
Beyond malicious VPNs, Google's report warns about five additional scam categories now trending worldwide:
Online job scams
Fraudsters often impersonate legitimate career platforms, recruiters, or government agencies to target victims.
The goal of this scam can be anything from stealing documents or banking details, to delivering malware through fake application forms and interview software.
Be wary of any unsolicited contact regarding a job offer, especially if they demand that you download a file or file-sharing software in order to apply.
Negative review extortion
This type of extortion sees scammers "review-bomb" businesses with fake 1-star ratings in an attempt to ruin their livelihood, then demand payment to stop the attacks.
Google has said it is rolling out a dedicated merchant reporting tool to combat this.
AI product impersonation schemes
In this scheme, cybercriminals mimic popular AI services with fake apps, browser extensions, and phishing sites promising free access.
These fake apps, extensions, and sites frequently contain malware or fleeceware subscriptions, which will infect victims' devices.
Avoid these scams by only downloading software from trusted sites and app stores, and make sure to double-check the URL of any site for intentional typos before downloading anything.
Fraud recovery scams
This manipulative scam sees victims of previous financial crime directly targeted again by criminals.
Scammers pose as investigators or recovery specialists, demanding upfront fees to "retrieve" the victim's previously stolen funds.
If you have been the victim of financial crime, legitimate investigators will never demand money upfront from you in order to recover your stolen funds.
Seasonal holiday scams
Fake storefronts, deceptive ads, and phishing campaigns surge during major shopping periods, including Black Friday and Cyber Monday.
This is why it is essential to understand the red flags of these schemes and avoid scams this holiday season.
Be wary of anything that looks too good to be true, and anything that appears to be pushing you into making a decision – especially if it is attempting to inspire strong emotions. Also, make sure to independently verify any deals that you come across with the official site or company.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
