Free VPN Apps Turn Android Devices Into Proxies

A recent report by HUMAN's Satori team uncovered 28 free VPN applications available on Google Play that are covertly transforming devices into residential proxies. In other words, it allows malicious threat actors to route third-party traffic through user’s devices without their knowledge or consent. The researchers dubbed this operation “PROXYLIB”.

Residential proxies have some legitimate purposes, such as market or SEO research. However, cybercriminals can also exploit them for nefarious activities like fraud, spamming, phishing, and more.

The HUMAN team initially discovered one of these proxies back in May 2023 in a free app named “Oko VPN.” After further analysis, the team found another 28 apps related to PROXYLIB.

Some of these apps were offered online through the LumiApps SDK, a known monetization service for Android platforms. The researchers noticed unusual mentions of lumiapps[.io] on hacker forums and VPN applications. They were then able to confirm that this SDK shared identical characteristics and used the same server infrastructure as the PROXYLIB apps that had been analyzed earlier.

Some of the 28 apps identified as containing this proxy malware by the Satori team are:

• Lite VPN
• Anims Keyboard
• Blaze Stride
• Byte Blade VPN
• Android Launcher (12, 13, and 14)
• CaptainDroid Feeds
• Free Old Classic Movies
• Phone Comparison by CaptainDroid
• Fast Fly VPN
• Fast Fox VPN
• Fast Line VPN

Following the report by HUMAN, Google took action by removing the flagged applications from the Play Store. There was also an update to Google Play Protect to recognize and disable apps using LumiApps.

In a statement made to BleepingComputer, a Google spokesperson stated that “Google Play Protect automatically protects users by disabling these identified apps. Once the apps are disabled, they cannot run on the device or do any harm on the device.”

However, many of the once-removed apps have reappeared on the Play Store, presumably after removing the LumiApps SDK.

As always, Android and iOS users are urged to exercise caution with what games and apps they download. In another clear example of why caution is paramount, the vpnMentor Research Lab discovered a massive data breach involving the Chinese app developer EskyFun, potentially exposing over a million users to fraud.