Google security experts have sounded the alarm about a dangerous new malware threat, Playfulghost, distributed worldwide via fraudulent VPN apps. The scam uses sophisticated techniques, like so-called "SEO poisoning", to trick users into downloading infected VPN software, the researchers have warned.
What makes this latest cyberattack especially cruel is that signing-up for one of the best VPN deals is usually a surefire way to strengthen your online security and privacy. But those unlucky enough to install the fake VPN applications laced with malware now find themselves in the worst possible situation.
Researchers have uncovered examples of the Playfulghost malware being distributed via fraudulent VPN links on search engines, like Google, as well as infected image files sent over email
GOOGLE CLOUD COMMUNITY BLOG
Playfulghost allows hackers to monitor every letter typed on your keyboard, a technique known as "keylogging", record audio from the built-in microphone on your laptop, tablet, or desktop PC. It can also be used to record what's happening on-screen — a key component in blackmail scams.
The dangerous malware also enables attackers to remotely execute various file management activities, including opening, deleting and writing new files. This can enable hackers to download and install other types of malware on machines infected with Playfulghost.
Interestingly, Playfulghost shares its functionality with Gh0st RAT — a remote administration tool that wreaked havoc on PCs for years starting from 2001 and whose source code was made public in 2008. This widely-available code has spawned a series of clones and copycats, including this latest strain.
The malware was identified because of "its use of distinct traffic patterns and encryption," according to Google.
Security researchers from Google have identified two ways that hackers are spreading the malware.
First up, crooks are using phishing emails — unsoliciated messages that attempt to trick people into downloading viruses and malware. Examples spotted by the team at Google involve emails with themes like “Code of Conduct” to trick users into downloading the attached file, which turns out to be the nasty Playfulghost malware.
In another documented case, a victim was tricked into opening an infected image file, which then executed Playfulghost from a remote server in the background on their machine.
The second way of distributing the malware involves bundling it with popular VPN apps via a process known as SEO poisoning, which manipulates search engine results to make malicious downloads appear legitimate.
According to a blog post penned by Google security experts: "The malware is bundled with popular applications, like LetsVPN, and distributed through SEO poisoning. This involves manipulating search engine results to make the bundled software appear at the top of searches, making it seem like a legitimate download."
It's unclear how many people worldwide are impacted by the latest malware attack.
But the spread of Playfulghost comes at a time when millions of people worldwide are turning to VPN services to protect their online privacy and bypass geographical restrictions.
Data from vpnMentor shows a staggering 1,150% spike in searches related to Virtual Private Networks (VPNs) within hours of new age-verification legislation taking effect in Florida, USA.
The new age-verification legislation, known as House Bill 3 (HB 3), came into effect on January 1, 2025.
This law introduces significant restrictions aimed at protecting minors from harmful online content, particularly on social media platforms and pornographic websites. The legislation blocks children under the age of 14 from creating or using social media accounts, like TikTok and Instagram.
For those aged 14 to 15, parental consent is required to establish an account. Social media companies are mandated to delete existing accounts of users under 14 and ensure compliance with these age restrictions
Websites offering adult content must implement age verification processes. This includes the option for "anonymous age verification," which must be conducted by a third-party service that does not retain personal information after verification.
Violations of this strict new law can result in civil penalties of up to $50,000 per infraction. Ouch.
As well as the privacy benefits of VPNs, these applications can be used to spoof your location by manually changing your IP address.
If you live in Florida, adjusting your IP address to make it appear as if you're living in another US State — or another country — will mean you're exempt from the rules introduced by House Bill 3.
The dramatic surge in VPN searches in Florida has created an ideal environment for cybercriminals deploying Playfulghost through manipulated search results.
Security experts warn that as more people hunt for a cheap VPN deal to circumvent geographical restrictions, the risk of encountering SEO-poisoned results containing Playfulghost continues to grow.
LetsVPN is one of the Virtual Private Networks that has been hit by the Playfulghost malware, with the fraudulent .EXE installer for Windows available to download from a number of illicit websites
GOOGLE CLOUD COMMUNITY BLOG
So, what can you do?
Security experts always recommend reviewing new apps with a critical eye before downloading, paying particular attention to poor grammar in app descriptions and minimal user reviews on platforms like Google Play Store, Apple App Store, and Chrome Web Store.
LATEST DEVELOPMENTS
Security firm McAfee advises users to avoid applications that require accessibility services unless absolutely necessary. As always, if you notice some odd behaviour from your laptop, desktop PC, tablet or smartphone, check for any applications that you don't recognise.
Scanning your device with a malware removal application can help spot hidden threats. Revoke permissions granted to any services or apps that you don't recognise.
In a bid to stymie the spread of Playfulghost, users are being urged to only download VPN applications directly from providers' official websites rather than through search engine results to ensure legitimacy.
