Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user devices into proxy nodes, potentially engaging in malicious activities without their knowledge.
This discovery has raised significant concerns about the safety of free VPN apps on the Google Play Store.
The Satori Threat Intelligence team from HUMAN, a cybersecurity firm, has identified a series of VPN apps that enroll user devices into a proxy network through a Golang library dubbed PROXYLIB.
This operation was first revealed in May 2023 when a single free VPN application, Oko VPN, was found to exhibit malicious behavior and subsequently removed from the Play Store.
Further analysis led to the identification of 28 related applications, all of which have now been removed from the Google Play Store.
However, the threat persists as the actors behind PROXYLIB continue to evolve their tactics, techniques, and procedures (TTPs).
A recent article by HumanSecurity discovered malicious activity in Oko VPN, a free VPN application available on the Google Play Store.
The PROXYLIB applications establish a bidirectional connection to a proxy network, effectively turning the device into a residential proxy node without the user’s consent.
The apps masquerade as legitimate services, often as free VPNs, and use permissions such as FOREGROUND_SERVICE and BOOT_COMPLETED to maintain persistence.
The native library, libgojni.so, handles incoming requests and maintains communication with command-and-control (C2) servers.
This allows the device to relay web requests to various online platforms, which can be used for activities like ad fraud, mainly targeting video streaming services.
A subsequent version of PROXYLIB was found to be distributed through an SDK called LumiApps.
This service allows users to upload an APK and add the SDK automatically without needing the source code.
The modified APKs are then distributed outside the Google Play Store, often as “mods” or patched versions of legitimate apps.
The threat actor behind PROXYLIB is believed to be monetizing the network through Asocks, a residential proxy seller.
By selling access to the proxy network created by the infected devices, the actor incentivizes developers to integrate the LumiApps SDK into their apps, thus expanding the network.
Android users are now automatically protected against PROXYLIB attacks by Google Play Protect, which is enabled by default on devices with Google Play Services.
Google Play Protect can warn users or block apps exhibiting malicious behavior, even if they originate from outside the Play Store.
HUMAN continues to collaborate with Google and other entities to mitigate the impact of PROXYLIB.
They recommend that users only download mobile apps from official marketplaces and avoid clones or “mods” of popular apps.
Despite removing the identified applications, the threat actor behind PROXYLIB remains active.
HUMAN’s Bot Defender has blocked a significant amount of traffic from IPs associated with Asocks, which are used in various attacks, such as account takeovers and web scraping.
HUMAN emphasizes the importance of vigilance and recommends that users stay informed about the potential risks of free VPN apps.
The company pledges to continue monitoring for adaptations of PROXYLIB, and attacks carried out through residential proxy networks.
While free VPN apps may seem appealing, users must exercise caution and conduct due diligence before downloading such applications to protect their devices and personal information from being exploited by hidden proxy networks.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious actors…
SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…
The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious…
Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in 2022…
CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for building…
A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin, formerly…