Skip to content Skip to footer

Malicious Android Apps Turn Devices into Residential Proxies for Threat Actors

The world of cybersecurity is constantly evolving, and the discovery of a cluster of malicious Android on the Google Play Store is the latest example of the lengths to which threat actors will go to infiltrate and exploit vulnerable systems. The , which have been dubbed PROXYLIB by cybersecurity firm HUMAN's Satori Threat Intelligence team, were designed to turn unsuspecting mobile devices into residential proxies (RESIPs) for other threat actors without the users' knowledge.

It works because the came fitted with a Golang library that transformed the user's device into a proxy node. This node was then routed internet traffic through an intermediary server, effectively masking the user's IP address. The anonymity benefits aside; threat actors often abuse residential proxies to not only obfuscate their origins but also to conduct a wide range of attacks.

The PROXYLIB have since been removed from the Google Play Store, but the threat remains. These are often created by malware operators tricking unsuspecting users into installing bogus that essentially corral the devices into a botnet. This botnet is then monetized for profit by selling the access to other customers.

The Android VPN discovered by HUMAN were designed to establish contact with a remote server, enroll the infected device to the network, and process any request from the proxy network. Further investigation revealed that a subset of the , identified between May and October 2023, incorporated a software development kit (SDK) from LumiApps containing the proxyware functionality.

LumiApps is an Israeli company that offers a service that allows users to upload any APK file of their choice, including legitimate applications, and bundle the SDK to it without creating a user account. The modified , called mods, are distributed in and out of the Google Play Store. LumiApps promotes itself and the SDK as an alternative app monetization method to rendering ads.

The SDK service is also advertised on social media and black hat forums. To bake the SDK into as many as possible and expand the botnet's size, LumiApps offers developers cash rewards based on the amount of traffic routed through user devices that have installed their apps.

Evidence indicates that the threat actor behind PROXYLIB is selling access to the proxy network created by the infected devices through LumiApps and Asocks, a company that advertises itself as a seller of residential proxies.

Recent research published by Orange Cyberdefense and Sekoia characterized residential proxies as part of a “fragmented yet interconnected ecosystem,” in which proxyware services are advertised in various ways ranging from voluntary contributions to dedicated shops and reselling channels. This indicates that the threat from PROXYLIB is not isolated and that similar threats are likely to arise.

It is critical that users remain vigilant and only download apps from trusted sources. Additionally, developers must ensure that malicious actors do not manipulate their apps to avoid becoming unwitting participants in a botnet. The discovery of PROXYLIB serves as a reminder of the importance of cybersecurity and the need to remain vigilant in the face of ever-evolving threats.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Kid, don't threaten me. There are worse things than death, and uh, I can do all of them.The Plague

Deitasoft © 2024. All Rights Reserved.