Iranian VPN users warned over spyware in VPN installer

Criminal with laptop in front of Iranian flag

With the ongoing freedom protests in Iran and the brutal crackdown by the theocratic regime there, the use of a VPN in Iran has quite simply never been more important than it is right now.

This is why the latest revelations about the presence of spyware that originates in Iran being present in some VPN installer software is a matter of huge concern for a lot of VPN users working hard to secure their freedom in Iran.

What has the research revealed?

The revelations about the presence of a spyware tool in some VPN installers have come from Bitdefender, who have conducted the research themselves in conjunction with Blackpoint and published their findings in a detailed white paper.

The spyware in question is called Second Eye and is described by Bitdefender as being a spyware tool developed in Iran and circulated legitimately through the developer’s website.

However, in Bitdefender’s routine analysis of detection performance, they spotted some anomalies that caught their eye.

For technically minded readers, they noticed a batch of processes that respected the same pattern in the process names with names beginning with sys, win or lib followed by a word that describes the functionality, such as bus, crt, temp, cache, init, and end in 32.exe.

After subsequently noticing that the .bat files and the downloaded payloads respect the same naming convention, they took a closer look and concluded that they were part of Second Eye.

As we have already noted, Second Eye is an online surveillance tool that has been developed and distributed in Iran. While Second Eye is technically legitimate, it goes without saying that such a tool can be used for malicious purposes, and that was what appeared to be happening here.

How was Second Eye being used maliciously?

The researchers at Bitdefender and Blackpoint found that while Second Eye components were being deployed, it was not through a legitimate Second Eye installer. Instead, the software was being distributed through trojanised installers of VPN software.

In other words, when you downloaded certain VPNs, you were also downloading the Second Eye spyware tool without knowing that you were doing so.

Before too many users begin to get into a panic and start uninstalling their VPNs, it is important to note that this spyware tool has only been detected on VPN installers from software that has been developed in Iran.

The only named VPN in the white paper was 20Speed VPN, which is neither a VPN provider that we recommend, or indeed that we have heard of before.

There is, therefore, no reason for users of the many legitimate VPN services that we profile on this site to have any concerns whatsoever that this is an issue that might affect them.

If you are using a VPN from Iran, and especially 20Speed VPN, there is definitely cause for concern.

Why has Second Eye been added to VPN installers?

The Bitdefender white paper can only speculate about why Second Eye has been used in this way. It is possible, as the paper notes, that a malicious actor has hacked into the servers of both Second Eye and 20Speed VPN to deploy it maliciously.

However, given the current circumstances in Iran and the fact that both of these tools have been developed there, it seems far more likely that this step has been taken deliberately in an attempt to spy on Iranians who are using VPNs to evade the regime’s onerous online censorship and who are involved in the freedom protests against the regime.

The findings send a clear message to all Iranians that it is simply not safe to use an Iranian VPN. It also highlights the importance of ensuring that you are downloading your VPN software from a legitimate source (that is a lesson for VPN users everywhere, not just in Iran).

If you are a user of 20Speed VPN, our best advice is to wipe your device entirely to remove any possible spyware that you might have downloaded inadvertently. You should then sign up for one of our recommended VPNs, almost all of which can bypass Iran’s online censorship, and give protestors secure and private access to the internet.

VPNCompare stands with the Iranian protestors as they attempt to secure their freedom from the regime that has oppressed this country for decades.

We congratulate Bitdefender on highlighting this spyware issue and hope the finding will help more protestors to stay on the street, standing up for what they believe in and what is best for them and their country.

Author: David Spencer

Cyber-security & Technology Reporter, David, monitors everything going on in the privacy world. Fighting for a less restricted internet as a member of the VPNCompare team for over 7 years.

Away from writing, he enjoys reading and politics. He is currently learning Mandarin too... slowly.

Leave a Reply

Your email address will not be published. Required fields are marked *