Free VPN Apps from Google Play Turn Users’ Smartphones into Proxies
Security experts from HUMAN Security have discovered more than 15 free VPN apps in the official Google Play store that used a malicious SDK. As a result, users’ Android devices were turned into residential proxies, which were likely sold to cybercriminals and trading bots. In total, researchers found 28 malicious apps that secretly turned devices into proxies, 17 of which disguised themselves as free VPNs. All these apps used an SDK from LumiApps, which contains Proxylib, a Go-based library for proxying.
How Proxylib Works
The first app carrying Proxylib was discovered back in May 2023—a free Android VPN app called Oko VPN. Later, researchers found that the same library was used in LumiApps’ Android app monetization service.
“At the end of May 2023, our specialists noticed activity on hacker forums and new VPN apps referencing the lumiapps[.]io monetization SDK. After further investigation, the team determined that this SDK had exactly the same functionality and used the same server infrastructure as the malicious apps we had previously studied as part of the Proxylib research,” the experts explained.
As a result of the investigation, 28 apps using the Proxylib library to turn Android devices into proxies were identified. The list can be seen below.
About LumiApps
LumiApps is a platform for monetizing Android apps, claiming that its SDK uses device IP addresses to load web pages in the background and send the collected data to companies.
“Lumiapps helps companies collect information that is publicly available on the internet by using users’ IP addresses to load several web pages from well-known sites in the background,” states the LumiApps website. “This is done in a way that does not interrupt users’ activities and is fully compliant with GDPR/CCPA. The web pages are then provided to companies, which use them to improve their databases, offering better products, services, and prices.”
It is still unclear whether the developers of these free apps knew that the SDK in question was turning their users’ devices into proxies, which could then be used for various unwanted activities. According to analysts, the malicious apps are linked to the Russian residential proxy provider Asocks, which is often advertised on hacker forums.
The report notes that in January 2024, LumiApps released the second version of its SDK, which included Proxylib v2. According to the company, this version addressed “integration issues” and now supports projects in Java, Kotlin, and Unity.
Campaign Timeline
After HUMAN Security published its report, Google removed all apps using the LumiApps SDK from the Play Store. In February 2024, Google updated Google Play Protect so that it could detect LumiApp libraries in apps.
Interestingly, many of the apps listed above are now available again in the Play Store. Apparently, their developers have removed the malicious SDK. Some apps have been published under different developer accounts, which may indicate that the old accounts were banned.