Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user devices into proxy nodes, potentially engaging in malicious activities without their knowledge.

This discovery has raised significant concerns about the safety of free VPN apps on the Google Play Store.

The Satori Threat Intelligence team from HUMAN, a cybersecurity firm, has identified a series of VPN apps that enroll user devices into a proxy network through a Golang library dubbed PROXYLIB.

This operation was first revealed in May 2023 when a single free VPN application, Oko VPN, was found to exhibit malicious behavior and subsequently removed from the Play Store.

Proxylib Process

Further analysis led to the identification of 28 related applications, all of which have now been removed from the Google Play Store.

However, the threat persists as the actors behind PROXYLIB continue to evolve their tactics, techniques, and procedures (TTPs).

A recent article by HumanSecurity discovered malicious activity in Oko VPN, a free VPN application available on the Google Play Store.

How PROXYLIB Operates

The PROXYLIB applications establish a bidirectional connection to a proxy network, effectively turning the device into a residential proxy node without the user’s consent.

The apps masquerade as legitimate services, often as free VPNs, and use permissions such as FOREGROUND_SERVICE and BOOT_COMPLETED to maintain persistence.

The native library, libgojni.so, handles incoming requests and maintains communication with command-and-control (C2) servers.

This allows the device to relay web requests to various online platforms, which can be used for activities like ad fraud, mainly targeting video streaming services.

Two apps from the first variant of PROXYLIB (Source: HUMAN Threat Intelligence)

The LumiApps SDK Connection

A subsequent version of PROXYLIB was found to be distributed through an SDK called LumiApps.

lumiapps[.]io landing page

This service allows users to upload an APK and add the SDK automatically without needing the source code.

The modified APKs are then distributed outside the Google Play Store, often as “mods” or patched versions of legitimate apps.

Documentation on integrating the LumiApps SDK into an application during development

The threat actor behind PROXYLIB is believed to be monetizing the network through Asocks, a residential proxy seller.

By selling access to the proxy network created by the infected devices, the actor incentivizes developers to integrate the LumiApps SDK into their apps, thus expanding the network.

Country selection menu

Protecting Yourself from Proxylib Attacks

Android users are now automatically protected against PROXYLIB attacks by Google Play Protect, which is enabled by default on devices with Google Play Services.

Google Play Protect can warn users or block apps exhibiting malicious behavior, even if they originate from outside the Play Store.

HUMAN continues to collaborate with Google and other entities to mitigate the impact of PROXYLIB.

They recommend that users only download mobile apps from official marketplaces and avoid clones or “mods” of popular apps.

The Ongoing Battle Against Cyber Threats

Despite removing the identified applications, the threat actor behind PROXYLIB remains active.

HUMAN’s Bot Defender has blocked a significant amount of traffic from IPs associated with Asocks, which are used in various attacks, such as account takeovers and web scraping.

The IP address of the infected device

HUMAN emphasizes the importance of vigilance and recommends that users stay informed about the potential risks of free VPN apps.

The company pledges to continue monitoring for adaptations of PROXYLIB, and attacks carried out through residential proxy networks.

While free VPN apps may seem appealing, users must exercise caution and conduct due diligence before downloading such applications to protect their devices and personal information from being exploited by hidden proxy networks.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitive Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from the Indonesian…

8 hours ago

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating system…

9 hours ago

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache…

10 hours ago

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber espionage…

10 hours ago

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

2 days ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

3 days ago