Several malicious Android apps have been spotted in the Google Play Store that turn mobile operating system devices into residential proxies (RESIPs) for other threats.
The revelations come from HUMAN’s Satori Threat Intelligence team, which said a cluster of VPN applications was equipped with a Golang library that transformed a user’s device into a proxy node without their knowledge.
The operation was given a code name PROXYLIB by the company. Google has since removed 29 questionable apps.
Residential proxies are a network of proxy servers that originate from real IP addresses provided by Internet Service Providers (ISPs), helping users hide their real IP addresses by routing their Internet traffic through an intermediary server.
In addition to the benefits of anonymity, they are ripe for abuse by threat actors to not only disguise their origins, but also perform a wide range of attacks.
“When a threat actor uses a residential proxy, traffic from these attacks appears to come from different residential IP addresses instead of data center IPs or other parts of the threat actor’s infrastructure,” the security researchers said. “Many threat actors are buying access to these networks to facilitate their operations.”
Some of these networks can be created by malware operators who trick users into installing rogue apps that essentially lock devices into a botnet that is then monetized to make money by selling access to other users.
The Android VPN applications discovered by HUMAN are designed to establish contact with a remote server, log the infected device onto the network, and process any request from the proxy network.
Another notable aspect of these apps is that a subset of them identified between May and October 2023 include LumiApps’ Software Development Kit (SDK), which contains proxyware functionality. In both cases, the malicious capability is removed using the native Golang library.
LumiApps also offers a service that essentially allows users to upload any APK file of their choice, including legitimate apps, and attach an SDK to it without having to create a user account, which can then be re-downloaded and shared with others.
“LumiApps helps companies collect information that is publicly available on the Internet,” the Israeli company says on its website. “It uses the user’s IP address to load several web pages in the background from well-known websites.”
“This is done in a way that never interrupts the user and is fully GDPR/CCPA compliant. The websites are then sent to companies who use them to improve their databases, offering better products, services and prices.”
These modified apps – called mods – are then distributed inside and outside the Google Play Store. LumiApps promotes itself and the SDK as an alternative method of app monetization to display ads.
There is evidence to show that the threat actor behind PROXYLIB is selling access to the proxy network created by infected devices through LumiApps and Asocks, a company that advertises itself as a residential proxy vendor.
Moreover, in an effort to embed the SDK in as many apps as possible and expand the size of the botnet, LumiApps offers monetary rewards to developers based on the amount of traffic directed through user devices that have installed their apps. The SDK service is also advertised on social media and black hat forums.
Recent research published by Orange Cyberdefense and Sekoia characterized residential proxies as part of a “fragmented but interconnected ecosystem,” in which proxyware services are advertised in a variety of ways, from voluntary contributions to dedicated stores and resale channels.
“[In the case of SDKs]proxyware is often embedded in a product or service,” the companies noted. Users may not notice that proxyware will be installed when they accept the terms of use of the main application in which it is embedded. This lack of transparency leads to users sharing their Internet connections without a clear understanding. “
The development comes after Lumen Black Lotus Labs discovered that small home/small office (SOHO) end-of-life (EoL) routers and IoT devices were compromised by a botnet known as TheMoon to run a criminal proxy service called Faceless.