March 27, 2024 at 10:54AM
Numerous VPN apps turned Android devices into residential proxies and made their way into the Google Play store, containing a malicious library responsible for enrolling devices as proxy nodes and linked to Asocks, a residential proxy seller. The malicious functionality could be added to any APK through the LumiApps SDK. The threat actor promotes the proxy network as an alternative monetization method for developers.
Based on the meeting notes, the following key points can be highlighted:
– Dozens of VPN applications with a Golang library linked to Asocks, a residential proxy seller, were submitted to the Google Play store as part of an operation called Proxylib. These were later removed from the store, but the malicious functionality was found in the LumiApps SDK.
– The malicious applications turn Android devices into proxies without the users’ knowledge, allowing threat actors to route traffic through them and hide malicious activity.
– It is observed that the threat actor behind Proxylib incentivizes developers to include the LumiApps SDK by promoting it as an alternative monetization method, claiming it rewards developers based on the amount of traffic routed through user devices.
– Human Security believes that LumiApps and Asocks could potentially be owned or operated by the same threat actor, and they expect the threat actor to continue evolving their tactics in order to continue selling access to the residential proxy network.
The meeting notes also mention related security threats, such as the Anatsa Android Banking Trojan, Chameleon Android Malware, and malicious Android apps targeting Iranian mobile banking users.