Another warning has been issued out of the blue as dangerous apps have been discovered hiding in Google’s Play Store, tricking users into putting their phones and data at risk…
A new warning has been issued for Android users
Google is waging a never-ending battle to rid its Play Store of dangerous malware; with each published security report, the list of these dangerous applications grows longer. However, the advice doesn’t change – delete those apps today.
The latest report comes courtesy of Human’s Satori Threat Intelligence. and warns that a family of rogue VPN apps powered by a malicious SDK have managed to bypass Google’s defenses and turn Android phones into proxies on a malicious network for hire. Once installed, the applications hide the source of their commands, opening the door to a range of attacks, all of which are dangerous. Google removed offending versions of apps from the Play Store—the never-ending cycle continues.
Because apps were made malicious through that SDK, it’s possible for them to return to the Play Store with the SDK removed. But you should delete everything you have on your phone and then – if you have to, given their trivial nature – reinstall them.
The researchers behind this report explain that the use of so-called residential proxies, or network obfuscation, “can be used by threat actors to hide malicious activities, including password hashing, massive ad fraud, or credential spoofing attacks. When a threat actor uses a residential proxy, traffic from those attacks appears to come from different residential IP addresses instead of data center IPs or other parts of the threat actor’s infrastructure.” It is clear that these proxy phones are creating a clean, growing network of seemingly innocent IP addresses.
Such residential proxy servers can be used by legitimate companies to enable web-scraping and other irritating activities that networks might otherwise detect and block. As the FBI warned of such techniques last year, “cybercriminals have relied heavily on the use of residential proxies that are connected to residential Internet connections and are therefore less likely to be identified as abnormal… Actors may choose to use purchased proxies from proxy services, including legitimate proxy service providers, to facilitate bypassing website defenses by disguising real IP addresses, which may be individually blocked or originate from specific geographic regions.”
As for this latest campaign, the team’s investigation began with a free Android VPN called Oko VPN that was identified as a threat in 2023. connections. Once enrolled, the infected device forwards web requests to email sites, online retailers, Twitch streaming platforms, and more.”
Interestingly, that particular VPN also has an iOS app, but “Satori has confirmed that the iOS version of the app is not malicious.”
The fake apps—now removed from the Play Store are listed below. As always, now that the threat has been identified, Google’s Play Protect will prevent future installs of versions of any of these apps with the rogue SDK still present. But it won’t clean current installations. As above, delete now and reinstall later—if you have to.
- Simple VPN
- Keyboard with animations
- Blaze Stride
- Byte Blade VPN
- Launcher for Android 12
- Launcher for Android 13
- Launcher for Android 14
- CaptainDroid Feeds
- Free old classic movies
- Phone comparison
- Fast Fly VPN
- Fast Fox VPN
- Fast Line VPN
- Funny Char Ging animation
- Limousine edges
- VPN around
- Phone application launcher
- Quick Flow VPN
- An example of a VPN
- Secure the Thunder
- Safety shine
- Fast surfing
- Quick shield
- Turbo Track VPN
- Turbo Tunnel VPN
- Yellow Flash VPN
- VPN Ultra
- Start VPN
The human team used a malicious library inside that first VPN to track down the others. “All of these apps included a malicious library that establishes a two-way connection to the proxy network, turning the device into a residential proxy node without the user’s knowledge… Most are disguised as free VPN apps.”
Infected devices create a network of proxies, and the threat behind the campaign can then sell access to that network. The team warns that “we expect the threat actor to continue to develop their TTPs to continue selling access to the residential proxy network,” given its continued development.
However, if you follow the five golden rules, such attacks will not affect you:
- Stick to official app stores—don’t use third-party stores, and never change your device’s security settings to allow an app to load.
- Check the developer in the app description. Avoid free apps unless you’re clear about how the developer makes money or if it’s a well-known name. And check the reviews, do they look legit or farmed?
- Don’t give permissions to an app it doesn’t need: flashlights and stargazing apps don’t need access to your contacts and phone. Never grant accessibility permissions that facilitate device control unless you have to.
- Never ever click links in emails or messages that directly download apps or updates—always use app stores for installations and updates.
- Don’t install apps that link to established apps like WhatsApp unless you know for sure they’re legit—check reviews and online records.
Google’s advice on such matters is to stick with Play Protect, assuring that “Android users are automatically protected against known versions of malware using Google Play Protect, which is turned on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
I reached out to them here for further comment.
Using VPNs to hide attacks is ironic, since VPNs are meant to protect devices and their traffic, and are highly recommended when traveling or accessing public, hotel, or restaurant Wi-Fi. This means that the VPN you choose is critical.
Just because a developer says their app is a VPN is not in itself a badge of security or legitimacy — there is no certification process they undergo. I would highly recommend a paid VPN for its importance—they are not expensive. And definitely nothing from an unknown developer. Stick to household names.
In the meantime, the cycle continues, so watch this space…