Several malicious Android apps have been spotted on the Google Play Store. These apps have a sneaky purpose: turning your Android phone into a proxy for cybercriminals. The discovery was made by HUMAN’s Satori Threat Intelligence team. They found a group of VPN apps on the Play Store that come with a special feature. These apps use a Golang library to secretly transform your device into a proxy node without you even realizing it.

 

HUMAN has codenamed this operation PROXYLIB. They identified 29 apps with this capability, all of which have now been removed by Google. But what exactly are residential proxies, and why are they so appealing to cybercriminals?

 

Residential proxies are part of a network of proxy servers sourced from real IP addresses provided by internet service providers (ISPs). They help users hide their actual IP addresses by routing their internet traffic through an intermediary server. While this might sound innocent enough, residential proxies can be easily abused by cybercriminals. These proxies allow them to not only hide their origins but also to carry out various malicious activities without getting caught easily.

 

When cybercriminals use a residential proxy, the traffic from their attacks appears to be coming from different residential IP addresses, making it difficult to trace back to them. Many cybercriminals purchase access to these networks to facilitate their operations. Some even go as far as creating their own networks by tricking unsuspecting users into installing malicious apps that turn their devices into unwitting participants in a botnet. These botnets can then be monetized by selling access to other cybercriminals.

 

The Android VPN apps discovered by HUMAN are designed to establish contact with a remote server, enroll the infected device in the network, and process any requests from the proxy network. What’s particularly concerning is that some of these apps incorporate a software development kit (SDK) from LumiApps. This SDK contains the proxyware functionality, allowing cybercriminals to easily embed it into various apps without detection.

 

Source

 

LumiApps markets itself as a legitimate service, but its SDK can be used for malicious purposes. It allows users to upload any APK file, including legitimate applications, and bundle the SDK with it. These modified apps, known as mods, can then be distributed both inside and outside the Google Play Store.

 

Quick link: Android users be alert – A new hook malware with RAT capabilities

 

But the story doesn’t end there. Evidence suggests that the cybercriminal behind PROXYLIB is selling access to the proxy network created by the infected devices through LumiApps and Asocks, a company that advertises itself as a seller of residential proxies. To further expand the size of the botnet, LumiApps offers cash rewards to developers based on the amount of traffic routed through user devices that have installed their apps.

 

Source

 

The use of residential proxies is part of a larger ecosystem characterized by fragmented yet interconnected networks. Proxyware services are advertised in various ways, from voluntary contributions to dedicated shops and reselling channels. Users may not even realize that their internet connection is being shared without their knowledge.

 

In addition to the threat posed by residential proxies, there’s another concerning development on the horizon. Lumen Black Lotus Labs recently disclosed that end-of-life (EoL) small home/small office (SOHO) routers and IoT devices are being compromised by a botnet known as TheMoon. This botnet is used to power a criminal proxy service called Faceless, further highlighting the dangers posed by malicious actors in the digital landscape.

 

In light of these threats, it’s more important than ever for individuals and businesses to prioritize cyber security. 

 

One way to do this is by using tools like CyberArrow GRC Platform to automate cyber security compliance efforts. By staying proactive and vigilant, you can protect yourself and your customers from the growing number of cyber threats lurking online.

 

Quick link: Why does your business need CCM automation?

 

CyberArrow GRC Platform is a comprehensive solution that helps organizations streamline their cyber security compliance processes. From risk assessment to policy management, CyberArrow GRC Platform offers a range of features designed to keep your digital assets safe and secure. By automating compliance efforts, you can ensure that your organization meets industry standards and regulations, giving your customers peace of mind knowing that their data is in good hands.

 

In conclusion, the discovery of malicious Android apps turning devices into proxies for cybercriminals is a stark reminder of the evolving nature of cyber threats. By understanding the risks posed by residential proxies and taking proactive measures to mitigate them, individuals and businesses can stay one step ahead of cybercriminals. Additionally, leveraging tools like CyberArrow GRC Platform can help automate cyber security compliance efforts, ensuring that your organization remains secure and trustworthy in the eyes of your customers.