Several malicious Android apps have been observed on the Google Play Store that turn mobile devices running the operating system into residential proxies (RESIPs) for other threat actors.
The findings come from HUMAN’s Satori Threat Intelligence team, which said the VPN app cluster was equipped with a Golang library that turned the user’s device into a proxy node without their knowledge.
The operation has a code name PROXYLIB by the company. The 29 apps in question have since been removed by Google.
Residential proxies are a network of proxy servers from real IP addresses provided by Internet Service Providers (ISPs), which help users hide their real IP addresses by routing Internet traffic through an intermediate server.
Aside from the benefits of anonymity, they are ripe for abuse by threat actors to not only obfuscate their origins, but also conduct a wide range of attacks.
“When a threat actor uses a residential proxy, traffic in these attacks appears to originate from multiple residential IP addresses rather than from a data center IP or other parts of the threat actor’s infrastructure,” researchers at safety. “Many threat actors purchase access to these networks to facilitate their operations.”
Some of these networks can be created by malware operators who trick unsuspecting users into installing fake apps that essentially bundle devices into a botnet that is then monetized for profit by selling access to other customers.
The Android VPN apps discovered by HUMAN are designed to establish contact with a remote server, register the infected device on the network, and process any requests from the proxy network.
Another noteworthy aspect of these apps is that a subset of them identified between May and October 2023 incorporates a LumiApps software development kit (SDK), which contains proxyware functionality. In both cases, the malicious capability is built using a native Golang library.
LumiApps also offers a service that essentially allows users to upload any APK file of their choosing, including legitimate applications, and bundle the SDK into it without having to create a user account, which can then be downloaded again and shared with others.
These modified apps, called mods, are then distributed in and out of the Google Play Store. LumiApps promotes itself and the SDK as an alternative app monetization method to ad rendering.
There is evidence indicating that the threat actor behind PROXYLIB is selling access to the proxy network created by infected devices via LumiApps and Asocks, a company that advertises itself as a seller of residential proxies.
Additionally, in an effort to get the SDK into as many apps as possible and expand the size of the botnet, LumiApps offers cash rewards to developers based on the amount of traffic that is routed through users’ devices on which their apps are installed app. The SDK service is also advertised on social media and black hat forums.
Recent research published by Orange Cyberdefense and Sekoia characterized residential proxies as part of a “fragmented but interconnected ecosystem”, where proxyware services are advertised in various ways, from voluntary contributions to dedicated shops and resale channels.
“[In the case of SDKs]“, proxyware is often embedded in a product or service,” the companies noted. Users may not realize that proxyware will be installed when they agree to the terms of use of the main application in which it is embedded. This lack of transparency leads users to share their Internet connection without clear understanding.”
The development comes as Lumen Black Lotus Labs revealed that end-of-life (EoL) small home and small office (SOHO) routers and IoT devices were compromised by a botnet known as TheMoon to power a criminal proxy service called Faceless.