Full Report
A free VPN app called Big Mama is selling access to people’s home internet networks. Kids are using it to cheat in a VR game while researchers warn of bigger security risks.
Analysis Summary
# Tool/Technique: Big Mama VPN / Big Mama Proxy Network
## Overview
Big Mama consists of a free Virtual Private Network (VPN) application (available on the Google Play Store) and an associated residential proxy network. While marketed to users—including teenagers side-loading it onto VR headsets for in-game advantages—the service is monetized by selling access to the home internet connections (IP addresses) of its free users to third parties, effectively turning users' devices into residential proxies. This network is known to be advertised and utilized by cybercriminals for malicious activities.
## Technical Details
- Type: Malware/Service (VPN linked to a Residential Proxy Network)
- Platform: Android (Primary distribution via Google Play Store); Headsets capable of side-loading Android apps (e.g., Meta VR headsets).
- Capabilities: Provides free VPN service; Sells access to user's home IP addresses (residential proxy service); Reroutes user traffic through compromised endpoints.
- First Seen: Trend Micro detected VR headsets using the app earlier in the year; Talos noted the network being used in cyberattacks prior to this.
## MITRE ATT&CK Mapping
This summary maps the *usage* of the resulting proxy network by malicious actors, rather than the VPN app itself.
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Attacker traffic routed through the proxy)
- **TA0008 - Lateral Movement** (Implied, if proxies are used for internal network targeting)
- T1090 - Proxy
- T1090.003 - Proxy: Multi-hop Proxy (Residential proxies often function as a form of proxy)
- **TA0001 - Initial Access** (If used for credential stuffing or brute-forcing)
- T1110 - Brute Force
- T1110.001 - Password Guessing (Proxy used to mask origin during attacks like credential stuffing against SSH services, as reported by Talos).
## Functionality
### Core Capabilities
- Hides the true geographical location and IP address of the user by routing traffic through a VPN tunnel.
- Offers a free service with no stated data limits, encouraging widespread adoption.
- Allows the proxy network operators to sell access to the home IP addresses of connected devices to third parties.
### Advanced Features
- **Residential Proxy Provisioning:** Monetizes users by contributing their IP addresses (from Samsung, Xiaomi, and VR headsets) to a large residential proxy pool sold for as little as 40 cents per 24 hours.
- **Cybercrime Utility:** The resulting proxy network is used by cybercriminals for activities such as credential stuffing, botnets, DDoS attacks, and cyber espionage.
- **System Abuse:** Exploitation leveraged by bad actors to hide malicious activity behind legitimate home IP addresses.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the text]
- File Names: Big Mama VPN (Application name)
- Registry Keys: [Not applicable/Provided]
- Network Indicators: Traffic originating from IP addresses associated with the Big Mama Proxy Network endpoints.
- Behavioral Indicators: Device (e.g., VR headset) initiating connections consistent with VPN/Proxy usage, particularly when the user did not knowingly configure sophisticated tunneling. Detection of unusually high outbound traffic associated with a free, third-party VPN application.
## Associated Threat Actors
- Cybercriminals using residential proxy networks for credential stuffing, botnets, and cyber espionage (explicitly linked to Russian hackers using proxy networks generally).
- Teenagers cheating in "Gorilla Tag" (Initial vector exploiting the free service).
## Detection Methods
- Signature-based detection: Signatures for the Big Mama VPN application package.
- Behavioral detection: Monitoring for application behavior consistent with acting as a router or proxy endpoint for external, unknown traffic flows, especially if the user did not configure it.
- YARA rules: [Not available in the text]
## Mitigation Strategies
- **Prevention:** Users should avoid downloading and using free VPN applications, especially those that do not require account creation or have restrictive terms.
- **Hardening Recommendations (Device Specific):** On VR platforms, exercise extreme caution when side-loading applications from sources outside of official digital storefronts. Review application permissions rigorously.
- **Network Monitoring:** Monitor outbound network connections for devices known to be running untrusted or potentially compromising software like free VPNs.
## Related Tools/Techniques
- General Residential Proxy Services (e.g., 911 S5 backdoors mentioned as an example of similar proxy backdoors).
- Other free VPN services that monetize user bandwidth/IPs.