Thursday, December 5, 2024
HomeAndroidBeware of Free Android VPN Apps that Turn Your Device into Proxies

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Published on

SIEM as a Service

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user devices into proxy nodes, potentially engaging in malicious activities without their knowledge.

This discovery has raised significant concerns about the safety of free VPN apps on the Google Play Store.

The Satori Threat Intelligence team from HUMAN, a cybersecurity firm, has identified a series of VPN apps that enroll user devices into a proxy network through a Golang library dubbed PROXYLIB.

- Advertisement - SIEM as a Service

This operation was first revealed in May 2023 when a single free VPN application, Oko VPN, was found to exhibit malicious behavior and subsequently removed from the Play Store.

Proxylib Process
Proxylib Process

Further analysis led to the identification of 28 related applications, all of which have now been removed from the Google Play Store.

However, the threat persists as the actors behind PROXYLIB continue to evolve their tactics, techniques, and procedures (TTPs).

A recent article by HumanSecurity discovered malicious activity in Oko VPN, a free VPN application available on the Google Play Store.

How PROXYLIB Operates

The PROXYLIB applications establish a bidirectional connection to a proxy network, effectively turning the device into a residential proxy node without the user’s consent.

The apps masquerade as legitimate services, often as free VPNs, and use permissions such as FOREGROUND_SERVICE and BOOT_COMPLETED to maintain persistence.

The native library, libgojni.so, handles incoming requests and maintains communication with command-and-control (C2) servers.

This allows the device to relay web requests to various online platforms, which can be used for activities like ad fraud, mainly targeting video streaming services.

Two apps from the first variant of PROXYLIB (Source: HUMAN Threat Intelligence)
Two apps from the first variant of PROXYLIB (Source: HUMAN Threat Intelligence)

The LumiApps SDK Connection

A subsequent version of PROXYLIB was found to be distributed through an SDK called LumiApps.

lumiapps[.]io landing page
lumiapps[.]io landing page

This service allows users to upload an APK and add the SDK automatically without needing the source code.

The modified APKs are then distributed outside the Google Play Store, often as “mods” or patched versions of legitimate apps.

Documentation on integrating the LumiApps SDK into an application during development
Documentation on integrating the LumiApps SDK into an application during development

The threat actor behind PROXYLIB is believed to be monetizing the network through Asocks, a residential proxy seller.

By selling access to the proxy network created by the infected devices, the actor incentivizes developers to integrate the LumiApps SDK into their apps, thus expanding the network.

Country selection menu
Country selection menu

Protecting Yourself from Proxylib Attacks

Android users are now automatically protected against PROXYLIB attacks by Google Play Protect, which is enabled by default on devices with Google Play Services.

Google Play Protect can warn users or block apps exhibiting malicious behavior, even if they originate from outside the Play Store.

HUMAN continues to collaborate with Google and other entities to mitigate the impact of PROXYLIB.

They recommend that users only download mobile apps from official marketplaces and avoid clones or “mods” of popular apps.

The Ongoing Battle Against Cyber Threats

Despite removing the identified applications, the threat actor behind PROXYLIB remains active.

HUMAN’s Bot Defender has blocked a significant amount of traffic from IPs associated with Asocks, which are used in various attacks, such as account takeovers and web scraping.

The IP address of the infected device
The IP address of the infected device

HUMAN emphasizes the importance of vigilance and recommends that users stay informed about the potential risks of free VPN apps.

The company pledges to continue monitoring for adaptations of PROXYLIB, and attacks carried out through residential proxy networks.

While free VPN apps may seem appealing, users must exercise caution and conduct due diligence before downloading such applications to protect their devices and personal information from being exploited by hidden proxy networks.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...