Malicious Android apps facilitate device transformation into proxies

Malicious VPN Apps Exploited for Cyberattacks

In a recent revelation, a group of nearly 30 VPN applications has been identified as carrying a hidden threat to Android users. These apps, which have been equipped with a particular Golang library, transformed devices into residential proxies without the users’ knowledge. This capability made them a tool for concealing unauthorized cyber activities under the guise of legitimate residential IP addresses.

The discovery, reported by The Hacker News, highlights the apps’ role in the PROXYLIB operation. Although these applications have since been purged from the Google Play Store, their existence underscores the ongoing risks in the digital ecosystem.

Experts from HUMAN’s Satori Threat Intelligence team explained the significance of this threat. They noted that by using residential proxies, cybercriminals can mask their attacks, making them appear as if they are originating from various individual IP addresses. This tactic effectively obscures the true source of the attack, often a data center or other parts of a threat actor’s infrastructure. Access to such networks is highly sought after by malicious actors looking to carry out their operations undetected.

This incident aligns with findings from a joint report by Orange Cyberdefense and Sekoia, which shed light on the stealthy integration of proxyware within products and services. Such integrations can occur without alerting the user, further complicating the challenge of maintaining cybersecurity.