Cybersecurity experts at HUMAN’s Satori threat intelligence team have identified a cluster of VPN (Virtual Private Network) apps on the Google Play Store that can transform Android phones into residential proxies without their knowledge (via BleepingComputer).
According to a report published this week by HUMAN, the team has found a total of 28 dangerous Android apps on the Google Play Store that can hack into the user’s Wi-Fi network. Of these, 17 of them posing as free VPN software contained a malicious SDK (an application development kit) that turned the users’ devices into proxies.
All 28 applications used a LumiApps SDK that contained PROXYLIB, a Golang library responsible for proxy node enrollment in each app.
HUMAN’s security researchers first discovered this operation in May 2023 when a free Android VPN called “Oko VPN” was found using PROXYLIB. Subsequently, the researchers found the same library was used by the LumiApps’ Android app monetization service.
Based on the findings of its investigation, HUMAN believes these malicious apps are linked to Asocks, a Russian residential proxy seller that was advertised on hacking forums online. The researchers also say that the threat actor is using Asocks as a way to monetize the PROXYLIB network.
“In late May 2023, Satori researchers observed activity on hacker forums and new VPN applications referencing a monetization SDK, lumiapps[.]io,” explained the HUMAN report.
“Upon further investigation, the team determined that this SDK has exactly the same functionality and uses the same server infrastructure as the malicious applications analyzed as part of the investigation into the earlier version of PROXYLIB.”
Given below is the list of 28 apps that used the PROXYLIB library to convert Android devices into proxies:
- Lite VPN
- Anims Keyboard
- Blaze Stride
- Byte Blade VPN
- Android 12 Launcher (by CaptainDroid)
- Android 13 Launcher (by CaptainDroid)
- Android 14 Launcher (by CaptainDroid)
- CaptainDroid Feeds
- Free Old Classic Movies (by CaptainDroid)
- Phone Comparison (by CaptainDroid)
- Fast Fly VPN
- Fast Fox VPN
- Fast Line VPN
- Funny Char Ging Animation
- Limo Edges
- Oko VPN
- Phone App Launcher
- Quick Flow VPN
- Sample VPN
- Secure Thunder
- Shine Secure
- Speed Surf
- Swift Shield VPN
- Turbo Track VPN
- Turbo Tunnel VPN
- Yellow Flash VPN
- VPN Ultra
- Run VPN
LumiApps runs an Android app monetization platform that uses a device’s IP address to load webpages in the background and send any retrieved data to companies.
“Lumiapps helps companies gather information that is publicly available on the internet. It uses the user’s IP address to load several web pages in the background from well-known websites,” reads the LumiApps website.
“This is done in a way that never interrupts the user and fully complies with GDPR/CCPA. The web pages are then sent to companies, who use them to improve their databases, offering better products, services, and pricing.”
Following the Satori team’s research, Google has removed all 28 apps and any new ones using the LumiApps SDK from the Play Store. It has also updated Google Play Protect to detect the LumiApp library used in apps. Similarly, some developers have removed the SDK that violates Google Play’s guidelines to fix their apps and republished them from different developer accounts.
When BleepingComputer contacted Google to check if the currently available apps are now safe to use, they are yet to receive a response from the company.