Threat actors are abusing free VPN solutions for Android phones to pretent being part of a residential network

SUMMARY

Summary

Over 15 free VPN apps available on Google Play were found to incorporate a malicious software development kit (SDK) that transformed Android devices into unwitting residential proxies, potentially facilitating cybercrime and shopping bot activities.
Residential proxies reroute internet traffic through devices located in homes, making it appear legitimate and less likely to be blocked, despite being used nefariously for activities like ad fraud, spamming, and phishing.
The malicious apps, disguised as free VPN software, utilized an SDK by LumiApps containing “Proxylib,” a Golang library for proxying, identified by HUMAN’s Satori threat intelligence team.
The list of identified apps includes Lite VPN, Anims Keyboard, and several launcher apps by CaptainDroid, among others, all utilizing the ProxyLib library to convert Android devices into proxies.
LumiApps, the SDK’s developer, claims its tool uses users’ IP addresses for benign purposes, such as loading webpages for data collection, but it’s unclear if developers were aware of the proxying functionality.
HUMAN links these apps to the Russian residential proxy service provider ‘Asocks,’ as connections were observed to the provider’s website, frequently promoted to cybercriminals on hacking forums.

Google removed offending apps from the Play Store and updated Google Play Protect to detect LumiApps libraries used in these apps.
Users are advised to update to app versions not using the problematic SDK or uninstall the apps altogether if no safe version exists.
Paid VPN apps may be a safer alternative to free ones, as free services are more likely to implement indirect monetization systems, including data collection, advertising, and enrollment in proxy services.

Google removed apps using the LumiApps SDK from the Play Store and updated Play Protect to detect the SDK’s usage.
Some apps have reappeared on the Play Store, potentially after their developers removed the offending SDK or republished from different accounts. Users are advised to update or uninstall apps, and Play Protect will warn users if apps have been removed from the Play Store.