Connect with us

Hi, what are you looking for?


Malware & Threats

VPN Apps on Google Play Turn Android Devices Into Proxies

Human Security identifies 28 VPN applications for Android and an SDK that turn devices into proxies.

Dozens of VPN applications that turn Android devices into residential proxies made their way into the Google Play store, Human Security reports.

All the identified malicious applications contained a Golang library responsible for enrolling the device as a proxy node, and appear linked to Asocks, a residential proxy seller.

As part of the operation, which Human Security calls Proxylib, at least 28 VPN applications containing the malicious library were submitted to Google Play. All apps have been removed from the store, but a version of Proxylib was also found in the LumiApps SDK, which can add the malicious functionality to any APK.

Residential proxy networks allow threat actors to route traffic through users’ devices and hide malicious activity, making it appear as if originating from residential IP addresses instead of the attackers’ infrastructure.

According to Human, the first mention of the LumiApps SDK was seen in May 2023, roughly a week after an ad fraud scheme relying on the Android application Oko VPN was publicly disclosed. In August, the researchers observed an increase in APKs packing Proxylib.

Both earlier versions of the Proxylib applications (which are related to Oko VPN) and newer variants that used the LumiApps SDK function the same, turning the device into a proxy without the user’s knowledge.

Threat actors have been observed relying on a LumiApps service that allows them to upload an APK to bundle the toolkit without having the source code to modify legitimate applications and add the malicious proxying functionality.

Human says it has identified hundreds of modified applications in online third-party repositories, as well as multiple developers who added the SDK to their products and submitted them for distribution via Google Play.

Advertisement. Scroll to continue reading.

To incentivize developers to include the LumiApps SDK and platform into their applications, the threat actor behind Proxylib promotes it as an alternative monetization method to rendering ads, claiming it rewards developers based on the amount of traffic routed through user devices.

Access to the proxy network created by these applications is apparently being sold via Asocks, a company that sells residential proxies. Human believes that LumiApps and Asocks could be owned or operated by the same threat actor.

“The threat actor continues to operate the LumiApps platform and release new versions of the SDK that can be built into additional apps. As a result, we expect to see the threat actor continue to evolve their TTPs in order to continue selling access to the residential proxy network generated by apps containing Proxylib,” Human notes.

Related: Anatsa Android Banking Trojan Continues to Spread via Google Play

Related: Chameleon Android Malware Can Bypass Biometric Security

Related: Hundreds of Malicious Android Apps Target Iranian Mobile Banking Users

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Cody Barrow has been appointed the new CEO of threat intelligence company EclecticIQ.

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.