Several free Android VPN apps have been found to support a malicious residential proxy operation named ‘Proxylib.’
Proxylib infects Android devices with an agent that conceals malicious activities such as ad fraud, bot usage, or more dangerous operations like malware distribution and phishing campaigns. The agent routes user traffic through the infected Android devices, making it appear as if it originates from a legitimate, non-blocklisted source, which is essentially a residential IP address.
In May 2023, HUMAN’s Satori Threat Intelligence team discovered that Oko VPN, a free VPN app offered through the Google Play store, utilized a Golang library that performed proxy node enrollment. Further investigation unearthed connections to ‘Asocks,’ a shady residential proxy seller, suggesting a monetization scheme.
The app was using a specific Software Development Kit (SDK), identified as LumiApps, which performed the enrollment to proxy services covertly, without the knowledge or approval of users and perhaps without the VPN app developers’ knowing about it either.
Though not necessarily a threat to the victims’ privacy or security, being used as a proxy for potentially malicious operations eats up people’s available bandwidth and can get them into legal trouble, since their IP address appears as the source of the activity.
By digging deeper, HUMAN discovered 28 applications, all utilizing the same SDK, with 17 of them being free VPN apps. Here’s a list of the Android free VPN apps that acted as network traffic proxies:
- Lite VPN
- Byte Blade VPN
- Fast Fly VPN
- Fast Fox VPN
- Fast Line VPN
- Oko VPN
- Quick Flow VPN
- Sample VPN
- Secure Thunder
- Shine Secure
- Speed Surf
- Swift Shield VPN
- Turbo Track VPN
- Turbo Tunnel VPN
- Yellow Flash VPN
- VPN Ultra
- VPN Run
HUMAN reported its findings to Google, and the tech firm removed the offending apps from Google Play. Some of the apps were cleaned by their developers and returned to the store, so it is assumed that they are safe to use now.
Apps like Oko VPN and Fast Fox VPN, for example, are available on Google Play at the time of writing and have 50,000 downloads each. The most popular of the set is Lite VPN, which has 1 million downloads.
Despite HUMAN’s reporting and Google’s cleaning efforts, the malicious SDK continues to be promoted to unsuspecting app developers. This fact raises the possibility of Proxylib making a comeback on millions of phones through Android VPN or other types of apps on the Play store.
In general, we have advised against using free VPN apps due to the inherent risks and drawbacks that come with this choice, including data logging practices, weaker encryption standards, outdated protocols, ad injection practices, limited server options, poor performance, lack of customer support, and ultimately, using user devices as residential proxies.
Concernedcitizen
The main issue is, that you can find many blogs, sites etc. whom are advocating for the use of VPN to protect your private security.
Sadly even if they DO tell you what VPN actually is, they usually DO NOT perform a true check for the services they advocate/advertise.
Hell sometimes these experts, whether them being experts or not, actually provide false information.
(The money for which i can be blatantly stupid exists – a crude translation of an economist saying of my country.)
Recently i came upon a strange discussion about a developer accusing a person of pirating their program. Whereas the accused only mentioned he was using a certain retailers page. (I am not sharing the sites, as i do not wish to advocate for this piracy site, more about why not later.)
As i was confused i’d figured i will look into the matter to figure out what the actual hell is going on.
I did some digging, read a few blogs and review sites and finally managed to pinpoint the site which the developer was talking about, and from where the accused person actually downloaded his copy. (Who claimed he got it freely and legally.)
This site was not the retailer’s page, as the accused person claimed, but it was appearing to be. The design and a few things of the webpage were different from the actual retailers, however they used the original retailer’s name and added a word to it, making it seem like, like it is a “subpage” of the retailer. They even linked their technical support page to make it appear that they are a legit business and they are in relation with the retailer.(As an example, just think like microsoft.com and say microsoftunlimited.com, where the latter would offer all ms products for free.)
Of course all of it was false. It was a very well made piracy site, which offered a large number of programs to be downloaded and used for free. Many of the blogs and review sites that “promoted” or mentioned this site also claimed it to be SAFE, some even claimed it is LEGIT. Even though they describe in their articles that all these programs are cracked versions of the program.
A cracked version of a program is about 99.9% of the time a pirated version of a program, quite often containing malicious codes or files hidden among or inside the program files. (There are quite a few mentions of actually finding these files in some forum posts. I might perform a more thourough investigation on this part.)
Yet experts(yes even a cybersecurity expert!) and article writers are and were advocating and advertising for this and similar sites. To make the issue even more severe these are game piracy sites. So the target audiance is children and most likely young adults. Some of these children involunteraly may even ruin their own household this way, as if their parents use the computer for online banking, these kinds of data might be stolen easily, if their child installs one of the games from here, and it contains malicious codes or files(usually they are infested with various trojans.)
Would not be surprised if it is the same for many of the VPN SME sites.
(If i was a malicious person, i would go for VPN data phising or some other malicious practice described in detail in the various articles in this comment, and on another site i would pose or assume a position where i appear to be a trusty person who knows about VPN-s. Like a cyber security expert. This perhaps seems a bit more like a conspicarcy theory, but since i have noticed the above attitude from a cyber security expert, where he openly advocates and advertises a game piracy site, it makes it less likely to be a theory, and more likely to be possibility.)
Somchain148
Services like Any Ip are paying thousands of $ to app builders, they are operating freely and openly, why do you want it to stop ?