Cybersecurity experts have discovered a cluster of Android VPN apps that secretly transform users’ devices into proxy nodes, potentially engaging in malicious activity without their knowledge.
This discovery has raised significant concerns about the security of free VPN apps on the Google Play Store.
The Satori Threat Intelligence team at HUMAN, a cybersecurity company, identified a number of VPN applications that enroll user devices in a proxy network via a Golang library called PROXYLIB.
This operation was first discovered in May 2023 when one free VPN app, Oko VPN, was found to exhibit malicious behavior and was subsequently removed from the Play Store.

Further analysis led to the identification of 28 related apps, all of which have now been removed from the Google Play Store.
However, the threat remains as the actors behind PROXYLIB continue to develop their tactics, techniques and procedures (TTP).
A recent article by HumanSecurity revealed malicious activity in Oko VPN, a free VPN app available on the Google Play Store.
How PROXYLIB works
PROXYLIB applications establish a two-way connection to the proxy network, effectively turning the device into a residential proxy node without user consent.
Apps masquerade as legitimate services, often as free VPNs, and use permissions such as FOREGROUND_SERVICE and BOOT_COMPLETED to maintain persistence.
The source library, libgojni.so, processes incoming requests and maintains communication with command and control (C2) servers.
This allows the device to forward web requests to different online platforms, which can be used for activities such as ad fraud, mainly targeting video streaming services.

LumiApps SDK link
A subsequent version of PROXYLIB was found to be distributed via an SDK called LumiApps.
![lumiapps[.]and the landing page](https://gbhackers.com/wp-content/uploads/2024/03/image-84.png)
This service allows users to upload APKs and add SDKs automatically without the need for source code.
Modified APKs are then distributed outside of the Google Play store, often as “mods” or patched versions of legitimate apps.

The threat behind PROXYLIB is believed to be monetizing the network via Asocks, a residential proxy seller.
By selling access to a proxy network created by infected devices, the actor encourages developers to integrate the LumiApps SDK into their apps, thereby expanding the network.

Protect yourself from Proxylib attacks
Android users are now automatically protected against PROXYLIB attacks through Google Play Protect, which is enabled by default on devices with Google Play Services.
Google Play Protect can warn users or block apps that exhibit malicious behavior, even if they originate from outside the Play Store.
HUMAN continues to work with Google and other entities to mitigate the impact of PROXYLIB.
They recommend that users only download mobile apps from official markets and avoid clones or “mods” of popular apps.
The ongoing battle against cyber threats
Despite the removal of the identified applications, the threat actor behind PROXYLIB remains active.
HUMAN’s Bot Defender blocked a significant amount of traffic from Asocks-related IPs, which are used in various attacks, such as account takeovers and web scraping.

HUMAN emphasizes the importance of caution and recommends users to be informed about the possible risks of free VPN applications.
The company undertakes to continue to monitor PROXYLIB customizations and attacks carried out via residential proxy networks.
Although free VPN apps may seem appealing, users must exercise caution and approach carefully before downloading such apps to protect their devices and personal data from exploiting hidden proxy networks.
Stay up to date with cybersecurity news, white papers and infographics. Follow us on LinkedIn & Twitter.