Several bad guys they have seen that there are some Android applications on the Google Play Store which turn mobile devices running the operating system into a type of proxy (RESIPs) for other cyber criminals.
The findings come from HUMAN's Satori threat intelligence team, which said the VPN app cluster arrived with a Golang library which turns the user's device into a proxy node without their consent.
The operation involving Android applications was named PROXYLIB by HUMAN.
What is known about these malicious Android applications on the Play Store
The 29 apps in question they were subsequently removed by Google; therefore not available on Android systems unless you purposely search on platforms outside the Google Play Store.
Residential proxies are a network of proxy servers from real IP addresses provided by Internet Service Providers (ISPs), which help users hide their real IP addresses by routing their Internet traffic through a server that acts as an “intermediary“.
Aside from the benefits of anonymity, these Android applications they are used so that cyber criminals can exploit them for threatsbut also to conduct a wide range of attacks.
“When a cybercriminal uses a residential proxy, traffic from these attacks appears to come from multiple residential IP addresses rather than a data center IP or other parts of a cybercriminal's infrastructure,” they have said security researchers. “Many bad actors gain access to these networks to facilitate their operations.”
Some of these networks can be created by malware operators tricking unknowing users into installing bogus apps that will essentially harvest devices into a botnet that is then monetized for profit by selling access to other customers.
The Android VPN apps discovered by HUMAN are designed to establish contact with a remote server, enroll the infected device in the network and process any requests from the proxy network.
Another noteworthy aspect of these apps is that a subset of them identified between May and October 2023 incorporates a LumiApps software development kit (SDK), which contains proxyware functionality; in both cases, the malicious capability is built using a native Golang library.
LumiApps also offers a service that essentially allows users to upload any APK file of their choice, including legitimate applications, and bundle the SDK with it without having to create a user account, which can then be downloaded again and shared with others.
“LumiApps helps companies collect publicly available information on the Internet,” declares the Israeli company on its website. “It uses the user's IP address to load several web pages in the background from well-known websites.”. It is then added: “This is done so that it never interrupts the user and is fully GDPR/CCPA compliant. The web pages are then sent to the companies, who use them to improve their databases, offering better products, services and prices.“
These modified Android applications, called mods, they are then distributed inside and outside the Google Play Store. LumiApps promotes itself and the SDK as an alternative method of app monetization to displaying ads.
There is evidence indicating that the cyber criminal (or criminals) behind PROXYLIB is (or are) selling access to the proxy network created by the infected devices via LumiApps and Asocks, a company that advertises itself as a seller of residential proxies.
Additionally, in an effort to embed the SDK into as many apps as possible and expand the size of the botnet, LumiApps offers cash rewards to developers based on the amount of traffic that is routed through the devices of users who have installed their apps.
The SDK service is also advertised on social media and black hat forums.
Recent research published by Orange Cyberdefense and Sekoia has characterized residential proxies as part of a “fragmented but interconnected ecosystem,” where proxyware services they are advertised in various ways ranging from voluntary contributions to dedicated shops and resale channels.
“[Nel caso degli SDK]proxyware is often embedded in a product or service” they have made known the companies. “Users may not notice that proxyware will be installed when they accept the terms of use of the main application with which it is integrated.“
This lack of transparency leads users to share their Internet connection without clear understanding.
The development comes as Lumen Black Lotus Labs revealed that end-of-life (EoL) home/office (SOHO) IoT routers and devices they are compromised by a botnet known as TheMoon to power a criminal proxy service called Faceless.
#Android #Exploited #malicious #apps #exploited #Play #Store