April 1, 2024 at 06:21AM
Malicious Android apps on Google Play turned devices into proxies for threat actors. HUMAN’s Satori team identified 29 of these VPN apps, named PROXYLIB. Google removed them. These residential proxies help hide IP addresses but are misused by threat actors for attacks. LumiApps’ SDK is used to create and monetize a botnet. Orange Cyberdefense and Sekoia published research on the interconnected ecosystem of proxyware services. Lumen Black Lotus Labs disclosed the compromise of end-of-life routers and IoT devices for a criminal proxy service called Faceless.
Key Takeaways from Meeting Notes:
– Malicious Android apps on the Google Play Store have been observed turning mobile devices into residential proxies for threat actors without user knowledge.
– These residential proxies can be used to hide the origins of threat actor attacks and are ripe for abuse for a wide range of attacks.
– Networks of residential proxies can be created through malware operators tricking users into installing bogus apps and then monetizing their access.
– The Android VPN apps discovered are designed to enroll infected devices in a proxy network and process requests.
– There is evidence indicating that the threat actor behind this operation is selling access to the proxy network.
– LumiApps offers a service to bundle SDKs into legitimate APK files, allowing distribution of malicious apps.
– In an effort to expand the botnet, LumiApps offers cash rewards to developers based on the amount of traffic routed through user devices.
– Research characterizes residential proxies as part of a fragmented yet interconnected ecosystem, leading to users sharing their internet connection without clear understanding.
– End-of-life routers and IoT devices are being compromised by a botnet known as TheMoon to power a criminal proxy service called Faceless.
Overall, the meeting notes highlight a significant security threat posed by the use of malicious mobile apps to create residential proxies, which can be leveraged by threat actors to conduct various attacks and obfuscate their origins. This underscores the importance of ongoing vigilance and proactive measures to protect against such threats.