We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Free VPN Apps Turn Android Devices Into Proxies

Free VPN Apps Turn Android Devices Into Proxies
Hendrik Human Published on 31st March 2024 Cybersecurity Researcher

A recent report by HUMAN's Satori team uncovered 28 free VPN applications available on Google Play that are covertly transforming devices into residential proxies. In other words, it allows malicious threat actors to route third-party traffic through user’s devices without their knowledge or consent. The researchers dubbed this operation “PROXYLIB”.

Residential proxies have some legitimate purposes, such as market or SEO research. However, cybercriminals can also exploit them for nefarious activities like fraud, spamming, phishing, and more.

The HUMAN team initially discovered one of these proxies back in May 2023 in a free app named “Oko VPN.” After further analysis, the team found another 28 apps related to PROXYLIB.

Some of these apps were offered online through the LumiApps SDK, a known monetization service for Android platforms. The researchers noticed unusual mentions of lumiapps[.io] on hacker forums and VPN applications. They were then able to confirm that this SDK shared identical characteristics and used the same server infrastructure as the PROXYLIB apps that had been analyzed earlier.

Some of the 28 apps identified as containing this proxy malware by the Satori team are:

  • Lite VPN
  • Anims Keyboard
  • Blaze Stride
  • Byte Blade VPN
  • Android Launcher (12, 13, and 14)
  • CaptainDroid Feeds
  • Free Old Classic Movies
  • Phone Comparison by CaptainDroid
  • Fast Fly VPN
  • Fast Fox VPN
  • Fast Line VPN

Following the report by HUMAN, Google took action by removing the flagged applications from the Play Store. There was also an update to Google Play Protect to recognize and disable apps using LumiApps.

In a statement made to BleepingComputer, a Google spokesperson stated that “Google Play Protect automatically protects users by disabling these identified apps. Once the apps are disabled, they cannot run on the device or do any harm on the device.”

However, many of the once-removed apps have reappeared on the Play Store, presumably after removing the LumiApps SDK.

As always, Android and iOS users are urged to exercise caution with what games and apps they download. In another clear example of why caution is paramount, the vpnMentor Research Lab discovered a massive data breach involving the Chinese app developer EskyFun, potentially exposing over a million users to fraud.

About the Author

Hendrik is a writer at vpnMentor, specializing in VPN comparisons and user guides. With 5+ years of experience as a tech and cybersecurity writer, plus a background in corporate IT, he brings a variety of perspectives to test VPN services and analyze how they address the needs of different users.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address