Several free Android VPN apps have been found to support a malicious residential proxy operation named ‘Proxylib.’
Proxylib infects Android devices with an agent that conceals malicious activities such as ad fraud, bot usage, or more dangerous operations like malware distribution and phishing campaigns. The agent routes user traffic through the infected Android devices, making it appear as if it originates from a legitimate, non-blocklisted source, which is essentially a residential IP address.
In May 2023, HUMAN’s Satori Threat Intelligence team discovered that Oko VPN, a free VPN app offered through the Google Play store, utilized a Golang library that performed proxy node enrollment. Further investigation unearthed connections to ‘Asocks,’ a shady residential proxy seller, suggesting a monetization scheme.
The app was using a specific Software Development Kit (SDK), identified as LumiApps, which performed the enrollment to proxy services covertly, without the knowledge or approval of users and perhaps without the VPN app developers’ knowing about it either.
Though not necessarily a threat to the victims’ privacy or security, being used as a proxy for potentially malicious operations eats up people’s available bandwidth and can get them into legal trouble, since their IP address appears as the source of the activity.
By digging deeper, HUMAN discovered 28 applications, all utilizing the same SDK, with 17 of them being free VPN apps. Here’s a list of the Android free VPN apps that acted as network traffic proxies:
- Lite VPN
- Byte Blade VPN
- Fast Fly VPN
- Fast Fox VPN
- Fast Line VPN
- Oko VPN
- Quick Flow VPN
- Sample VPN
- Secure Thunder
- Shine Secure
- Speed Surf
- Swift Shield VPN
- Turbo Track VPN
- Turbo Tunnel VPN
- Yellow Flash VPN
- VPN Ultra
- VPN Run
HUMAN reported its findings to Google, and the tech firm removed the offending apps from Google Play. Some of the apps were cleaned by their developers and returned to the store, so it is assumed that they are safe to use now.
Apps like Oko VPN and Fast Fox VPN, for example, are available on Google Play at the time of writing and have 50,000 downloads each. The most popular of the set is Lite VPN, which has 1 million downloads.
Despite HUMAN’s reporting and Google’s cleaning efforts, the malicious SDK continues to be promoted to unsuspecting app developers. This fact raises the possibility of Proxylib making a comeback on millions of phones through Android VPN or other types of apps on the Play store.
In general, we have advised against using free VPN apps due to the inherent risks and drawbacks that come with this choice, including data logging practices, weaker encryption standards, outdated protocols, ad injection practices, limited server options, poor performance, lack of customer support, and ultimately, using user devices as residential proxies.