Dozens of VPN applications that turn Android devices into residential proxies made their way into the Google Play store, Human Security reports.
All the identified malicious applications contained a Golang library responsible for enrolling the device as a proxy node, and appear linked to Asocks, a residential proxy seller.
As part of the operation, which Human Security calls Proxylib, at least 28 VPN applications containing the malicious library were submitted to Google Play. All apps have been removed from the store, but a version of Proxylib was also found in the LumiApps SDK, which can add the malicious functionality to any APK.
Residential proxy networks allow threat actors to route traffic through users’ devices and hide malicious activity, making it appear as if originating from residential IP addresses instead of the attackers’ infrastructure.
According to Human, the first mention of the LumiApps SDK was seen in May 2023, roughly a week after an ad fraud scheme relying on the Android application Oko VPN was publicly disclosed. In August, the researchers observed an increase in APKs packing Proxylib.
Both earlier versions of the Proxylib applications (which are related to Oko VPN) and newer variants that use the LumiApps SDK function the same, turning the device into a proxy without the user’s knowledge.
Threat actors have been observed relying on a LumiApps service that allows them to upload an APK to bundle the toolkit without having the source code to modify legitimate applications and add the malicious proxying functionality.
Human says it has identified hundreds of modified applications in online third-party repositories, as well as multiple developers who added the SDK to their products and submitted them for distribution via Google Play.
To incentivize developers to include the LumiApps SDK and platform into their applications, the threat actor behind Proxylib promotes it as an alternative monetization method to render ads, claiming it rewards developers based on the amount of traffic routed through user devices.
Access to the proxy network created by these applications is apparently being sold via Asocks, a company that sells residential proxies. Human believes that LumiApps and Asocks could be owned or operated by the same threat actor.
“The threat actor continues to operate the LumiApps platform and release new versions of the SDK that can be built into additional apps. As a result, we expect to see the threat actors continue to evolve their TTPs in order to continue selling access to the residential proxy network generated by apps containing Proxylib,” Human notes.
Related: Anatsa Android Banking Trojan Continues to Spread via Google Play
Related: Chameleon Android Malware Can Bypass Biometric Security
Related: Hundreds of Malicious Android Apps Target Iranian Mobile Banking Users