Is Free VPN safe?

Analysis summary

Summary:
The "Free VPN" extension is designed to provide VPN services but is confirmed to exhibit malicious behavior, including involvement in known malicious campaigns and executing harmful activities.

Key insights:

Intended to offer VPN and proxy services for secure browsing.
Rated High due to confirmed malicious activity and association with malicious campaigns.
Executes arbitrary code from external servers, posing a significant security threat.
Utilizes broad permissions to intercept and modify network traffic, exceeding its declared purpose.
Poses a critical risk to privacy and organizational security by enabling unauthorized data access and manipulation.

Malware versions

3.5.1

malware

3.6

malware

3.6.1

Now Viewing

malware

Findings

Malicious Activity Detected

Flags items that exhibit confirmed malicious activity.

critical

Evidence

This item fetches and executes payloads from external servers, that steals affiliate commissions, tracks user activity, removes security protections, and conducts various types of fraud through hidden iframes.

Associated with Malicious Campaign

Flags items that have been linked to known malicious campaigns based on threat intelligence or prior incidents. Indicates coordinated activity with intent to compromise, deceive, or exploit users.

critical

Highly Obfuscated Code

Flags items that contain highly obfuscated code, potentially used to hide malicious intent or make the code difficult to analyze.

high

All findings are available for Enterprise users

Code analysis

AI-powered analysis of the extension's source code for security insights and risk assessment.

Purpose and Intention

This code is part of a browser extension ("Free VPN by Free VPN") for Firefox. Its main purpose is to detect the user's browser and platform, facilitate communication between the extension's background and content scripts, and manage UI elements such as modals. It also appears to interact with VPN-related functionality and possibly ad blocking.

Key Functionalities

Browser and Platform Detection:
- Uses a library (Bowser) to parse the user agent string and determine browser, OS, engine, and platform type.
- This is standard for extensions that need to adapt behavior based on the browser environment.
Extension Messaging:
- Defines a messaging API (x.listen and x.send) to communicate between different parts of the extension (e.g., background and content scripts).
- Uses runtime.onMessage.addListener and runtime.sendMessage for inter-script communication.
UI Management:
- Checks if the extension is pinned and, if not, displays a modal by adding a CSS class to an element.
VPN/Proxy Control:
- Enumerates a set of string constants related to VPN/proxy actions (e.g., startSession, fetchServers, enableSmartProxy, etc.), but the actual network or VPN logic is not present in this snippet.

API Calls

Uses standard browser extension APIs: runtime.onMessage, runtime.sendMessage.
No direct use of low-level or potentially dangerous APIs (e.g., file system, process execution, clipboard, registry, or shell commands).

Network Activity

No direct network requests (e.g., fetch, XMLHttpRequest, WebSocket) are present in this code. Any network activity would be handled elsewhere in the extension.

Filesystem, Registry, and Privilege Escalation

No file creation, registry access, or privilege escalation attempts are present.

Obfuscation

The code is minified but not obfuscated. Variable names are shortened, but logic is readable and not intentionally hidden.

Summary

The code is primarily concerned with browser detection, extension messaging, and UI management. There are no strong indicators of malicious behavior in this snippet.

Permissions

critical

webRequest

api

Enables monitoring and modification of all network requests, allowing the extension to intercept, block, or alter data sent and received by the browser.

high

history

api

Provides complete access to browsing history including URLs, page titles, and visit timestamps.

high

privacy

api

Allows modification of browser privacy settings that control features like network predictions and protection services.

API Calls

API calls detected through static analysis of the source code. For more accurate insights, explore our sandbox dynamic analysis.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

API CALLS ARE AVAILABLE FOR ENTERPRISE USERS

Secrets

Any encoded/decoded secrets we managed to find in the source code, git repository, or related files

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

SECRETS ARE AVAILABLE FOR ENTERPRISE USERS

Vulnerabilities

Known vulnerabilities and security issues detected in the extension's dependencies and code.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

VULNERABILITIES ARE AVAILABLE FOR ENTERPRISE USERS

External communication

Any identifiers we detected that may indicate external communication from the item's code

https://github.com/lancedikson/bowser

background.js

https://freevpnplanet.com

background.js

https://account.freevpnplanet.com

background.js

All external communications are available for Enterprise users

Dependencies

Dependencies and third-party libraries used by the extension, including version information and license details.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

DEPENDENCIES ARE AVAILABLE FOR ENTERPRISE USERS

Licenses & Compliance

Licenses

Mozilla Public License 2.0

View License

This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at <a rel="nofollow" href="https://prod...