Multiple malicious Android apps were discovered in the Google Play Store that turn mobile devices running the operating system into residential proxies (RESIP) for other threat actors.
The findings come from HUMAN’s Satori Threat Intelligence team, which said the VPN app cluster is equipped with a Golang library that can turn a user’s device into a proxy node without the user’s knowledge.
The operation is codenamed agent library by the company. The 29 problematic apps have since been removed by Google.
A residential proxy is a network of proxy servers that originate from real IP addresses provided by an Internet Service Provider (ISP) and route Internet traffic through intermediary servers to help users hide their real IP addresses.
The benefits of anonymity aside, they are ripe for abuse by threat actors, not only to obfuscate their origin but also to conduct widespread attacks.
“When threat actors use residential proxies, the traffic from these attacks appears to originate from a different residential IP address, rather than the data center’s IP or other parts of the threat actor’s infrastructure,” the security researchers said. “Many threat actors Agents purchase access to these networks to facilitate their operations.”
Some of these networks may have been created by malware operators who tricked unsuspecting users into installing fake apps that essentially fenced devices into botnets and then made money by selling access to other customers.
The Android VPN app discovered by HUMAN is designed to establish contact with a remote server, register the infected device with the network, and handle any requests from the proxy network.
Another noteworthy aspect of these apps is that a subset identified between May and October 2023 contained LumiApps’ software development kit (SDK), which included agent software functionality. In both cases, the malicious functionality is implemented using native Golang libraries.
LumiApps also offers a service that essentially allows users to upload any APK archive of their choice (including legitimate apps) and have the SDK bundled into it without having to create a user account, which can then be re-downloaded and shared with others.
“LumiApps helps companies collect information publicly available on the Internet,” the Israeli company said on its website. “It uses the user’s IP address to load multiple pages of well-known websites in the background.”
“This is done in a way that is not intrusive to the user and is fully GDPR/CCPA compliant. The web pages are then sent to the company, which uses them to improve the database and provide better products, services and pricing.”
These modified apps, called mods, are then distributed inside and outside the Google Play Store. LumiApps promotes itself and the SDK as an alternative app monetization method for rendering ads.
There is evidence that the threat actors behind PROXYLIB are selling access to proxy networks created by infected devices through LumiApps and Asocks, a company that bills itself as a residential proxy seller.
Additionally, in an effort to incorporate the SDK into as many apps as possible and increase the size of the botnet, LumiApps offers developers cash rewards based on traffic routed through user devices with the app installed. SDK services are also advertised on social media and black hat forums.
Recent research published by Orange Cyberdefense and Sekoia describes residential agents as part of a “dispersed but interconnected ecosystem” in which agent software services are advertised in a variety of ways, from voluntary contributions to specialized stores and resale channels. .
“[In the case of SDKs]The companies point out that agent software is often embedded in products or services. Users who accept the terms of use of the host application in which the agent software is embedded may not notice that the agent software will be installed. This lack of transparency results in users sharing that their proxy software does not have a clear understanding of their network connections. “
Lumen Black Lotus Labs has revealed that end-of-life (EoL) small home/small office (SOHO) routers and IoT devices are being attacked by a botnet called TheMoon, which powers a criminal proxy service called Faceless.
