Apps secretly turning devices into proxy network nodes removed from Google Play

Your smartphone might be part of a proxy network, and you might not even know it: all it takes is for you to download apps whose developers have included the functionality and didn’t mention it.

If that doesn’t sound so bad, you should know that being part of a residential proxy network means that your device might be that “last mile” of a threat actor’s traffic before they access a victim’s environment.

Apps roping smarphones into proxy networks are everywhere

Downloading mobile apps is something that most of us do regularly, but only security-savvy users know that that simple action carries many risks.

As recently released research by HUMAN Security‘s Satori Threat Intelligence team has revealed, researchers Google removing a single free VPN app from its Play Store due to it making devices part of a proxy network used for ad fraud revealed a more widespread problem: the library responsible for the proxy node enrollment has subsequently been found in many more apps, as well as one mobile software development kit (SDK).

“The original PROXYLIB library and the one embedded in the LumiApps SDK are highly similar, including file names and code structure which suggests that LumiApps SDK and the original library are likely built by the same threat actor. Based on some incremental changes to the code between PROXYLIB and the code in LumiApps, and subsequent versions of LumiApps itself, we believe LumiApps is a ‘newer’ version of the original library,” the team told Help Net Security.

“The LumiApps SDK is available freely for anyone to incorporate into their apps, and they advertise it as a way to make money from your app without resorting to ads. If a developer wanted to monetize their app, they could certainly consider using LumiApps and be unaware of what the code was doing in the background, enrolling the device of the user as a node in a residential proxy network without the user’s knowledge. Since the SDK is freely available on the LumiApps website, and advertised both on the dark web and on social media sites, anyone can build it into their apps if they register for an account.”

Though the LumiApps’s privacy policy talks about devices being part of the LumiApps networks, app developers might not read it before starting to use the SDF. Or they might know and don’t care. But end users – the app users – are unlikely to know all of this is happening in the background.

The researchers also say that the threat actor is using Asocks – a residential proxy seller – as a way to monetize the PROXYLIB network.

“The Asocks website provides no information on how their residential proxies are obtained. One of the sentences of the Terms of Service references a sentence that can be interpreted as the definition of proxy service,” they noted.

“When a user registers an account on lumiapps[.]io, the headers from the confirmation email contain the domain bproxy[.]one, which no longer has an accessible web page. However, when searching for this domain on archive[.]org, there was a non-stylized version of the Asocks website as recently as February 23, 2023. As a result, Satori researchers have high confidence that the two services are connected and potentially owned or operated by the same threat actor.”

The residential proxy market

Misleading users who install third-party software is just one of the ways in which residential proxy networks – which usually consists of computers, smartphones and IoT devices – are grown.

Some users voluntarily install proxyware to enroll their devices in these networks and exchange their bandwidth in return for payment. And then there’s attackers out there secretly installing proxyware on compromised user devices.

To be sure, residential proxy networks can be used for non-illicit objectives: advertisers, for example, can use them to check which ads play depending on IP geolocation, and they can also be use to register multiple accounts on the same online service

But in a recently released report by Sekoia.io and Orange Cyberdefense, the researchers pointed out that residential proxies represent a growing threat in cyberspace, frequently used by attacker groups to hide among legitimate traffic, to mount password spraying and brute force attacks, phishing campaigns, DDoS attacks, and more.

They also analyzed the rather opaque market of residential proxies sellers, and discovered that lot of the providers are “either not registered as an official legal entity in their respective country or possess only ‘mailbox’ offices in a country without stringent legislations on the topic (ex. the British Virgin Islands).”

Some providers don’t even have websites and prefer to sell their services directly through Telegram.

Also, many of the providers don’t identify and verify the client’s identity when getting an account, to make sure the proxies are used for legar purposes. Instead, they “cover” themselves by stating in the Terms of Service that “customers are responsible for the activity done with the rented proxies, and that they must abide by all applicable laws.”

Some claim to “ethically source” proxies added to their network, but offer no verifyiable proof for the claim.

Finally, the researchers have found evidence that the market’s fragmentation is illusory: “Some seemingly distinct [residential proxy providers] can be in fact closely interconnected, either by belonging to the same legal entity, by sharing a consistent portion of their server infrastructure or by using common cryptocurrency channels.”

What can consumers and enterprise defenders do?

Smartphone users should be careful downloading apps from online stores, whether they are first-party (e.g., Google Play) or third-party ones.

After Satori’s discovery of 28 (mostly “free VPN”) apps on Google Play carrying the PROXYLIB library, Google has removed them. (By the by, Google has also recently begun to mark independently validated VPN apps on Google Play.)

Google Play Protect, which is on by default on Android devices with Google Play Services, automatically protects users by disabling such apps, and provides a warning and asks users if they would like to uninstall them.

“The majority of the apps we identified containing the LumiApps SDK were not made available in the Google Play Store and were surfaced by HUMAN in third party online repositories, where they posed as ‘mods’,” Satori researchers told Help Net Security.

They also noted that Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Google Play.

“HUMAN continues to work closely with the Google Play Store and other entities to reduce PROXYLIB’s impact,” they added.

Sekoia.io and Orange Cyberdefense have additional advice internet users and for corporate defenders.

The former should avoid installing free programs that may bundle proxyware (or even malware) but, if they choose not to, they should:

• Read the Terms of Service of any application they install and deactivate the proxy feature (when possible)
• Avoid downloading cracked software and programs from outside of official app stores

“Due to the risks of running proxyware within a corporate network, i.e., actually having unapproved software installed on a managed device, organisations should preemptively ban installation of proxyware (via application black/whitelisting, user rights restriction, internal firewall/ACL rules, etc.),” the researchers advised.

“Those willing to identify proxyware already installed (or attempts to install such programs) within their networks should regularly hunt for the presence of specific known IOCs, on top of configuring detection strategies for suspicious traffic behaviour.”