Android Phones Transformed into Proxies by Free VPN Apps on Google Play

Malware Attack

Numerous free VPN applications available on Google Play were discovered to be employing a malicious software development kit (SDK) to transform Android devices into unwitting residential proxies, likely exploited for cybercriminal activities and shopping bots.

Residential proxies reroute internet traffic through devices located in homes, masking the traffic's origin and making it appear legitimate, thus reducing the likelihood of being blocked. While residential proxies serve legitimate purposes like market research, ad verification, and SEO, cybercriminals often misuse them for nefarious activities such as ad fraud, phishing, and credential stuffing.

Users may voluntarily register for proxy services in exchange for monetary rewards, but some services resort to unethical methods to covertly install proxying tools on users' devices. This surreptitious installation hijacks users' internet bandwidth without their knowledge, potentially exposing them to legal repercussions for facilitating malicious activities.

According to a report by HUMAN's Satori threat intelligence team, 28 applications on Google Play, including 17 masquerading as free VPN software, were identified as using a malicious SDK named "Proxylib" by LumiApps. This SDK, written in Golang, facilitates proxying activities by converting Android devices into proxy servers.

The first instance of this malicious activity was detected in May 2023 with the "Oko VPN" app, followed by the observation of similar behaviour in apps associated with the LumiApps Android app monetization service. Subsequent investigations revealed a network of apps utilizing the ProxyLib library to carry out proxying activities, a list of which includes several popular apps such as Turbo Track VPN, Secure Thunder, and Run VPN.

While LumiApps claims that its SDK is designed for benign purposes like loading webpages in the background to gather publicly available information, its usage in these apps for malicious proxying activities raises concerns. It is unclear whether the developers of these free apps were aware of the SDK's covert proxying functionality.

The affiliation of the malicious apps with the Russian residential proxy service provider 'Asocks' further underscores the potential involvement of cybercriminal elements. Following the report, Google removed the identified apps from the Play Store and updated Google Play Protect to detect libraries associated with LumiApps SDKs.

Although many of the removed apps have reappeared on the Google Play store, it is recommended that users update to versions without the offending SDK or uninstall them altogether to mitigate risks. Paid VPN apps are suggested as a safer alternative, as they are less likely to employ indirect monetization methods and prioritize user privacy and security.