More than 15 free VPN apps on Google Play used a malicious SDK, turning Android devices into residential proxies.
We use them more and more during our private or professional trips, or to protect ourselves: residential proxies. These are used legally most of the time, including for market research, ad verification and search engine optimization.
However, they are also a tool of choice for many cybercriminals, who can use them for ad fraud, spamming, phishing or MFA bombing, such as that currently experienced by Apple users. With residential proxies, cybercriminals can hide their true identity and location, making their attacks even more difficult to trace and stop.
No less than 17 free VPN apps are available on the Google Play Store, out of 28 discovered by researchers containing an infected SDK (an application development kit), and turning their users’ devices into proxies, despite themselves. Indeed, without knowing it, and probably attracted by the free nature of a VPN, victim users, after installing these infected applications, are then considered guilty in the case of fraud committed by pirates.
ProxyLib, the malicious SDK that infects free VPN apps
Human Security researchers discovered that all of the apps in question used a software development kit (SDK) from LumiApps, which contained “ProxyLib”, a golang library for proxying.
In May 2023, they identified the first app using ProxyLib, a free Android VPN called Oko VPN. Subsequently, the researchers found the same library used by Android app monetization service LumiApps, as they state in their report:
“ In late May 2023, the Satori team noticed activity on hacker forums and new VPN apps referencing a monetization SDK, lumiapps[.]io. »
After further investigation, it appears that this SDK has exactly the same functionality and uses the same server infrastructure as the malicious applications analyzed during the investigation of the previous version of ProxyLib. LumiApps is used legally for advertising research purposes.
They were able to list a set of 28 applications that used the ProxyLib library to transform Android devices into proxies:
- Lite VPN
- Anime Keyboard
- Blaze Stride
- Byte Blade VPN
- Android 12 Launcher (by CaptainDroid)
- Android 13 Launcher (by CaptainDroid)
- Android 14 Launcher (by CaptainDroid)
- CaptainDroid Feeds
- Free Old Classic Movies (by CaptainDroid)
- Phone Comparison (by CaptainDroid)
- Fast Fly VPN
- Fast Fox VPN
- Fast Line VPN
- Funny Char Ging Animation
- Limo Edges
- Oko VPN
- Phone App Launcher
- Quick Flow VPN
- Sample VPN
- Secure Thunder
- Shine Secure
- Speed Surfing
- Swift Shield VPN
- TurboTrack VPN
- Turbo Tunnel VPN
- Yellow Flash VPN
- Ultra VPN
- Run VPN
However, it is unclear whether free app developers were aware that the SDK was turning their users’ devices into proxy servers that could be used for unwanted activities.
Researchers believe the malicious apps are linked to Russian residential proxy service provider Asocks, after observing connections made to the proxy provider’s website. Asocks service is often promoted by cybercriminals on hacking forums.
Google working to rid the Play Store of infected applications
In January 2024, LumiApps released the second major version of its SDK as well as ProxyLib v2. According to the company, this release resolved integration issues, and now supports Java, Kotlin and Unity projects. Shortly after, and following the report published on Human Security, Google removed all new and remaining applications using the LumiApps SDK from the Play Store in February 2024. The firm also updated Google Play Protect to detect LumiApp libraries used in applications.
In the meantime, many of the apps listed above have become available again on the Google Play Store, likely after their developers removed the offending SDK. They were sometimes posted from different developer accounts, which could indicate previous account bans. On the other hand, Google has not yet commented on the reliability of the applications that are available again.
Caution is therefore required. If you have used one of the listed apps, updating to the most recent version, which does not use the SDK in question, will terminate proxy activity. However, it is better to remove them completely. If the app has been removed from Google Play and there is no safe version, it is recommended to uninstall it. Play Protect should also warn users in this case.
Finally, it is probably safer to use paid VPN apps rather than free services, as many products in the latter category are more likely to implement indirect monetization schemes, including data collection or sale , advertising and registration with proxy services. Clubic also offers you its comparison of the best VPNs.
Sources: Human Security, BleepingComputer
2