There were 28 apps in Google's Play Store that turned smartphones into endpoints or nodes in a proxy network for cybercriminals without the owners' knowledge. Human's IT researchers have discovered, among other things, VPN apps that they associate with the campaign that they named Proxylib.
Advertisement
In a blog post, Humans IT security researchers explain that such proxies are often used by malicious actors for private users to hide their criminal activities. These include advertising fraud or the use of bots. They often purchase access to such proxy networks from other cybercriminals, who in turn create proxies by distributing malware embedded in smartphone or desktop applications.
Proxylib and Lumiapps SDK malware on Playstore
In total, the researchers tracked down 28 apps in Google's Play Store that claimed to be VPN software. The “Oko VPN” software was already noticed as malicious in May 2023, whereupon it was removed from Google’s Play Store. The 28 applications use a Golang library that is responsible for deploying the proxy node in each of the apps, the name Proxylib the analysts use for the malware.
Subsequent versions of Proxylib have been built into the Lumiapps SDK, which app developers can easily integrate into their applications. A provider of such private user proxies called Asocks is therefore linked to the malware. The criminal masterminds behind Proxylib are apparently trying to monetize their Proxylib network.
The IT researchers list other possible uses of such porxy networks for malicious actors: password spraying, large-scale advertising fraud or credential stuffing can be carried out. This obscures network traffic because the IP addresses come from unsuspicious private connections instead of from a data center. In the analysis, the IT security researchers go into more detail about how the malware works.
The list of apps removed from Play Store:
- app.litevpn.android
- com.anims.keyboard
- com.blazestride
- com.bytebladevpn
- com.captaindroid.android12.launcher
- com.captaindroid.android13.launcher
- com.captaindroid.android14.launcher
- com.captaindroid.feeds
- com.captaindroid.free.old.classic.movies
- com.captaindroid.phone.comparison
- com.fastflyvpn
- com.fastfoxvpn
- com.fastlinevpn.android
- com.funnychar.ginganimation
- com.limo.edges
- com.okovpn.app
- com.phone_app.launcher
- com.quickflowvpn
- com.samplevpn
- com.securethunder
- com.shinesecure
- com.speedsurf
- com.swiftshield.android
- com.turbotrackvpn
- com.turbotunnelvpn
- com.yellowflashvpn
- io.vpnultra
- run.vpn
If you still have one of these apps on your smartphone, possibly from other sources, you should remove them manually. Google is now also tracking them down using the Play Protect mechanism in order to remove them. Users should therefore ensure that their Android phone is checked by it.
(dmk)