Sunday, May 25, 2025
Homecyber securityHackers Using VPNs To Exploit Restrictions & Steal Mobile Data

Hackers Using VPNs To Exploit Restrictions & Steal Mobile Data

Published on

SIEM as a Service

Follow Us on Google News

Hackers are offering “free” mobile data access on Telegram channels by exploiting loopholes in telecom provider policies, which target users in Africa and Asia and involve sharing configuration files to mimic zero-rated traffic. 

The channels function as technical support hubs where users exchange instructions on creating custom payloads, setting up secure tunnels, and manipulating HTTP headers to disguise data usage, which has circulated numerous configuration files for various telecom providers over the past year. 

To bypass data metering on telecom networks, attackers leverage various tunneling techniques by manipulating data packets using tools like HTTP Injector to mimic traffic from zero-rated services (exempt from data charges).

- Advertisement - Google News

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

Payload generators further enhance this deception. Alternatively, they establish encrypted tunnels using SSH or Stunnel, disguising their traffic as legitimate secure communication, while VPNs with obfuscation techniques and undetectable protocols achieve a similar outcome. 

Configuration files

Attackers can manipulate traffic headers with proxies or route all traffic through a remote server using SOCKS proxies, tricking the network into treating their data as unmetered. 

To abuse zero-rating policies, attackers manipulate data traffic to appear as originating from exempt services, which involves modifying HTTP headers and payloads (traffic redirection), altering DNS settings to exploit zero-rated domains, or spoofing the Server Name Indication (SNI) in HTTPS requests. 

SNI proxies can also be used to forward traffic while disguising it as coming from a zero-rated source. Split tunneling and selective routing techniques channel-specific traffic through zero-rated services while keeping other data encrypted. 

For mobile data, attackers can exploit weaknesses in APN configurations, including modifying APN settings to trick the network (APN tweaks) or rapidly switching between APNs to bypass billing (APN switching). 

HTTP injectors can be used in conjunction with pre-configured profiles that contain individualized parameters to automate zero-rating exploitation. 

CloudSEK identified several tools used to bypass online restrictions and access secure connections, including HTTP Injector, an Android application for manipulating HTTP headers, crafting custom payloads, and establishing secure tunnels. 

Your Freedom VPN Client provides various tunneling methods to bypass firewalls, while HA Tunnel Plus is another option for creating secure VPN connections.

All three tools leverage their tunneling capabilities to circumvent restrictions and enable secure internet access. 

Telecom providers can deploy a multi-layered defense to curb free data exploitation via VPNs and tunneling, while deep packet inspection (DPI) and traffic analysis pinpoint suspicious traffic patterns. 

Limiting bandwidth for well-known tunneling protocols and blocking certain SNI fields that these apps use makes them less useful.

Blacklisting malicious IP addresses and monitoring DNS traffic for tunneling attempts further tighten the net. 

Better APN security protects against changes made without permission, and machine learning models find strange behavior that could be a sign of zero-rating abuse by disrupting free data exploitation methods.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...