Unveiling the Hidden Dangers in Free VPN Apps
In the ever-evolving landscape of cybersecurity, experts have recently shone a light on a concerning issue involving Android VPN applications. These apps, which are readily available on the Google Play Store, have been found to secretly convert user devices into proxy nodes. This covert operation is carried out without the knowledge of the user, potentially implicating them in unsanctioned activities.
The team at HUMAN’s Satori Threat Intelligence has been at the forefront of this discovery, identifying a collection of VPN apps that leverage a Golang library known as PROXYLIB to enroll devices into a proxy network. The issue came to the fore in May 2023 with the discovery of Oko VPN, a free VPN application that was engaging in such behavior and was promptly removed from the Play Store.
Subsequent investigations have led to the removal of an additional 28 related applications from the Google Play Store. Despite these efforts, the threat actors behind PROXYLIB are continually refining their strategies, posing an ongoing risk to unsuspecting users.
How PROXYLIB Operates
The mechanics behind PROXYLIB are quite sophisticated. The applications in question establish a two-way connection with a proxy network, effectively turning the user’s device into a residential proxy node without their consent. These apps, often disguised as free VPN services, exploit permissions like FOREGROUNDSERVICE and BOOTCOMPLETED to remain active on the device.
A native library, libgojni.so, is responsible for handling incoming requests and maintaining communication with command-and-control (C2) servers. This setup enables the device to act as a conduit for web requests to various online platforms, which can be misused for activities such as ad fraud, with video streaming services frequently targeted.
The LumiApps SDK Connection
A more advanced iteration of PROXYLIB was discovered to be disseminated through an SDK called LumiApps. This service offers a convenient way for users to upload an APK and integrate the SDK automatically, bypassing the need for source code. The modified APKs are then distributed outside the Google Play Store, often masquerading as “mods” or patched versions of legitimate apps.
The architects behind PROXYLIB are believed to be monetizing the network through Asocks, a residential proxy seller. By selling access to the proxy network generated by the infected devices, they provide an incentive for developers to incorporate the LumiApps SDK into their apps, thereby expanding the network’s reach.
Protecting Yourself from Proxylib Attacks
Android users can take solace in the fact that Google Play Protect, which is enabled by default on devices with Google Play Services, now automatically safeguards against PROXYLIB attacks. Google Play Protect can alert users or block apps that exhibit malicious behavior, even those sourced from outside the Play Store.
HUMAN is actively engaged with Google and other partners to curtail the impact of PROXYLIB. They advise users to stick to official marketplaces when downloading mobile apps and to steer clear of clones or “mods” of popular apps.
The Ongoing Battle Against Cyber Threats
Even with the removal of the identified applications, the threat actor behind PROXYLIB remains at large. HUMAN’s Bot Defender has successfully blocked a substantial volume of traffic from IPs linked to Asocks, which are implicated in various nefarious activities, including account takeovers and web scraping.
HUMAN underscores the need for vigilance and encourages users to stay informed about the potential dangers associated with free VPN apps. The company is committed to ongoing surveillance for new adaptations of PROXYLIB and the attacks executed through residential proxy networks.
While the allure of free VPN apps is undeniable, users are urged to exercise caution and perform thorough research before installing such applications. This due diligence is critical to safeguarding their devices and personal information from exploitation by concealed proxy networks.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on blank”>LinkedIn &
