Google Detects Playfulghost Backdoor Malware in VPN Apps

Google Managed Defense team has uncovered a new malware campaign using SEO poisoning and phishing to target users with a backdoor called Playfulghost.

The malware – a remote access trojan (RAT) – can execute a range of activities, including keylogging, capturing screenshots, recording audio, stealing files, and more. Playfulghost is also capable of stealing data from apps like Sogou, QQ and 360 Safety, and is equipped with a rootkit that can hide evidence of its presence.

Google says that at least in one observed incident, Playfulghost was delivered via malicious advertising and SEO poisoning in the form of a Playfulghost-laced trojanized installer for LetsVPN, a popular and legitimate virtual private network service.

The Playfulghost malware is bundled with popular applications and VPNs. In the case of LetsVPN, Google’s managed defense team says the malware is being distributed via SEO poisoning, where search engine results are manipulated to make the bundled software appear at the top of searches, giving the impression that it’s a legitimate download.

“SEO poisoning involves the use of malicious tactics to manipulate search engine results to rank malicious links highly in the results for specific search queries,” Google’s managed defense team wrote in a blog post. “In the case of Playfulghost, this is being used to distribute the malware alongside popular applications, such as VPNs, making it seem like a legitimate download.”

Google has observed that Playfulghost is being distributed via phishing attacks as well. For example, victims might receive an email with a subject line like “Code of conduct” that includes a malicious RAR file posing as an image.

When the victim opens the RAR, it drops a malicious Windows executable, which in turn downloads and executes Playfulghost from a remote server. In some cases, attackers are using social engineering to trick victims into thinking the Playfulghost payload is a legitimate file, Google says.

Google says that the tactics being used to distribute Playfulghost are sophisticated, adding that the malware leverages “DLL search order hijacking” and “side loading” to load in memory after being downloaded, among other techniques.

The SEO poisoning and trojanized installers for popular software are “frustratingly successful,” Google says, with Playfulghost infecting “dozens” of devices.

Google stresses that users should be cautious when downloading apps from the web, and only install software from trusted sources. Google also recommends that users be on the lookout for phishing attacks and regularly update their devices.

Google’s blog post is a reminder that even legitimate-looking software installers can bring malware along with them.