Over two dozen apps available on Google Play have been found to contain a malicious software development kit (SDK) that converts Android devices into unwitting residential proxies. HUMAN's Satori threat intelligence team said it has spotted 28 applications on Google Play that turned Android devices into proxy servers, with 17 of them masquerading as free VPN software.

The threat actor behind this scheme, tracked as PROXYLIB, profits by selling access to the residential proxy network to third parties. Satori analysts reveal that the offending apps were using an SDK provided by LumiApps, containing “Proxylib,” a Golang library designed for proxying purposes.

Residential proxies, often utilized by threat actors, serve as a means to conceal malicious activities such as advertising fraud and bot usage.

Further investigation discovered a subsequent version of Proxylib offered online via the LumiApps SDK as well as other adaptations by the threat actor that used the same Golang library to turn the device into a proxy node.

The scheme first came to light in May 2023, when the researchers discovered a free Android VPN app named “Oko VPN.” Satori later spotted the same library used by the LumiApps Android app monetization service. Despite differences in the applications themselves, they all employed almost the same process for loading the malicious library, adding the device to the proxy network, and executing the proxy functionality.

The researchers suspect a connection between the malicious apps and the residential proxy service provider 'Asocks,' citing observations of connections made to the proxy provider's website. Asocks is frequently promoted to cybercriminals on various hacking forums, suggesting potential collaboration in nefarious activities.

While the malicious apps have been removed from Google Play, the researchers warn that “the threat actor continues to operate the LumiApps platform and release new versions of the SDK that can be built into additional apps.”