Priya PatelTLDR:
- Malicious Android apps disguised as VPNs turn devices into proxies without user knowledge.
- These apps were removed from the Google Play Store after being identified by HUMAN’s Satori Threat Intelligence team.
In a recent discovery by HUMAN’s Satori Threat Intelligence team, it was found that several malicious Android apps were turning mobile devices into residential proxies (RESIPs) for cybercriminals. These apps, disguised as VPNs, used a Golang library to transform user devices into proxy nodes without their consent. This operation has been named PROXYLIB by the company.
The 29 identified apps have since been removed by Google. Residential proxies, which are networks of proxy servers sourced from real IP addresses provided by ISPs, can be abused by threat actors to hide their origins and carry out various attacks. Threat actors may purchase access to these networks to facilitate their malicious operations.
Some of these networks are created by malware operators tricking unsuspecting users into installing fake apps, which turns their devices into a botnet that can be monetized. The Android VPN apps discovered by HUMAN were designed to connect to a remote server, enlist the infected device to the network, and process requests from the proxy network.
One concerning aspect of these apps is that a subset of them incorporated an SDK from LumiApps between May and October 2023, containing the proxyware functionality. LumiApps allows users to upload any APK file of their choice, including legitimate applications, and bundle the SDK to it without creating a user account, which can then be shared with others. These modified apps, referred to as mods, are then distributed both within and outside the Google Play Store.
LumiApps promotes the SDK as an alternative method of app monetization to rendering ads. Evidence suggests that the threat actor behind PROXYLIB is selling access to the proxy network created by infected devices through LumiApps and Asocks, a company advertising residential proxies. LumiApps also offers cash rewards to developers for routing traffic through user devices that have installed their apps.
It is crucial for users to be cautious when downloading apps and to be aware of the potential risks associated with using proxy services without a clear understanding of how they are being utilized.
