Researchers: Gabi Cirlig, Maor Elizen, Lindsay Kaye, Joao Marques, Vikas Parthasarathy, Joao Santos, Adam Sell, Inna Vasilyeva

Executive Summary

Residential proxies are frequently used by threat actors to conceal malicious activity, including advertising fraud and the use of bots. Access to residential proxy networks is often purchased from other threat actors who create them through enrolling unwitting users’ devices as nodes in the network through malware embedded in mobile, CTV or desktop applications.

HUMAN’s Satori Threat Intelligence team recently identified a cluster of VPN apps available on the Google Play Store that transformed the user’s device into a proxy node without their knowledge. We’ve dubbed this operation PROXYLIB after the Golang library responsible for the proxy node enrollment in each of the apps. 

In May 2023, researchers at a measurement company found malicious behavior in a single free VPN application—Oko VPN— on Google’s Play Store. The research resulted in Oko VPN’s removal from the Play Store. 

Based on further analysis of Oko VPN, Satori researchers uncovered 28 applications related to PROXYLIB. 

Satori researchers later discovered a subsequent version of PROXYLIB offered online via the LumiApps SDK as well as other adaptations by the threat actor that used the same Golang library to turn the device into a proxy node.

HUMAN has also found evidence connecting PROXYLIB to Asocks, a residential proxy seller and believes the threat actor is using Asocks as a way to monetize the PROXYLIB network.

Following the Satori team’s research, the Google Play Store has removed 28 apps from their listings. Additionally, HUMAN protects customers against many types of attacks that are often conducted using residential proxies, including account takeover attacks, transaction abuse, programmatic advertising fraud, and web scraping.

Going forward, Android users are automatically protected from the PROXYLIB attack by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play. HUMAN continues to work closely with the Google Play Store and other entities to reduce PROXYLIB’s impact. 

Background

Residential proxies are networks of residential IPs that route traffic from one device through another; they can be used by threat actors to hide malicious activity, including password spraying, large-scale advertising fraud or credential stuffing attacks. When a threat actor uses a residential proxy, the traffic from these attacks appears to be coming from different residential IP addresses instead of an IP of a data center or other parts of a threat actor’s infrastructure. As a result, the traffic’s origin is obfuscated.

Many threat actors purchase access to these networks to facilitate their operations. Some of these networks are created by other threat actors enrolling unwitting users’ devices as proxy nodes and selling access to the network.

Oko VPN (com.okovpn.app) is a free VPN app that has both Android and iOS versions and was first reported as a threat by IAS in May 2023. The Android application enrolls the user in a proxy network and receives instructions from a series of command-and-control (C2) servers for port/IP connections. After the enrollment, the infected device relays web requests to email sites, online retailers, Twitch streaming platforms, and more. The Oko VPN operators used the residential IP network created by the devices enrolled via the Oko VPN application in order to conduct ad fraud, mostly directed at video streaming platforms. The app was removed from the Google Play Store by Google on March 23, 2023. Satori confirmed that the iOS version of the app was not malicious and did not contain the PROXYLIB library. 

PROXYLIB Analysis

Satori researchers analyzed both the earlier versions of the PROXYLIB applications (related to Oko VPN) as well as newer versions of the threat that used an SDK known as LumiApps. Both versions of the malware function similarly, turning a device onto which a malicious app is installed into a residential proxy node using native library code written in Golang.

PROXYLIB v1

HUMAN verified the findings in the IAS report and identified 28 additional apps that contained PROXYLIB v1. These apps all included a malicious library which establishes a bidirectional connection to a proxy network, turning the device into a residential proxy node without the user’s awareness. Satori researchers identified 14 applications published on or before mid-May 2023 that implemented this malicious SDK. The majority of these applications masquerade as free VPN apps.

Two apps from the first variant of PROXYLIB (Source: HUMAN Threat Intelligence)

While the applications themselves were different, they all followed approximately the same process for loading the malicious library, enrolling the device in the proxy network, and running the proxy functionality. 

Relevant permissions used by the malware (Source: HUMAN Threat Intelligence)

Receiver for the BOOT_COMPLETED event (Source: HUMAN Threat Intelligence)

Once the application starts, the app will connect to a C2 server, the address of which was retrieved in a previous request. Then, a subsequent request enrolls the device in the network and creates a TCP connection between the device and the proxy network.

api.yellowflashvpn.com/api/v1/register to get C2 info (Source: HUMAN Threat Intelligence)

Once the connection is established, the library libgojni.so handles any incoming requests, maintaining persistence using the FOREGROUND_SERVICE and BOOT_COMPLETED permissions.

startServer call with nsignal[.]net as argument (Source: HUMAN Threat Intelligence)

The native library initiates and maintains a connection with the C2. The C2 (nsignal[.]net in the example below) is used to initiate a bidirectional socket on port 1334 through which the proxy traffic will be forwarded. Every 10 seconds, a new socket will be created via the client.NewServer function.

client.StartServer function that initiates a connection with the server appends nsignal[.]net on port 1334 (Source: HUMAN Threat Intelligence)

The socket maintains communication by using a “heartbeat” with a “ping pong” message in order to confirm that it has an established connection with the C2 and only then processes any request from the proxy network. 

Sequence of ping pong and http requests handler functions (Source: HUMAN Threat Intelligence)

client.handlePing function that reads and writes the “ping pong” message (Source: HUMAN Threat Intelligence)

The network traffic below shows this “heartbeat” with the “ping pong” message back and forth. 

TCP data stream between the C2 and the device, multiple connections to Instagram and popular domains (Source: HUMAN Threat Intelligence)

PROXYLIB v2: LumiApps SDK

In late May 2023, Satori researchers observed activity on hacker forums and new VPN applications referencing a monetization SDK, lumiapps[.]io. Upon further investigation, the team determined that this SDK has exactly the same functionality and uses the same server infrastructure as the malicious applications analyzed as part of the investigation into the earlier version of PROXYLIB. 

In addition to an SDK that developers can integrate into their code during development, LumiApps provides a service where any user can upload an APK to have the SDK added to it.  Users can then re-download or share this new version.

lumiapps[.]io landing page
(Source: HUMAN Threat Intelligence)

Download and sharing functionality for monetized version of APK
(Source: HUMAN Threat Intelligence)

This allows a user to automatically bundle the SDK without creating an account or having to recompile or implement the integration. Essentially, any user can upload an APK without possessing the source code, add the LumiApps SDK to it and re-download or share this modified version.

Documentation on integrating the LumiApps SDK into an application during development
(Source: HUMAN Threat Intelligence)

Satori has observed individuals using the LumiApps toolkit in the wild; most of the applications we identified between May and October 2023 appear to be modified versions of known legitimate applications, further indicating that users do not necessarily need to have access to the applications’ source code in order to modify them using LumiApps. These apps are largely named as “mods” or indicated as patched versions and shared outside of the Google Play Store.

Technical Analysis

As previously mentioned, LumiApps also provides developers the ability to integrate their SDK at development time into their Java, Kotlin or Unity projects as seen below in LumiApps’ documentation. The integration requires the inclusion of a library called app_pro.aar and the addition of 3 classes to the project: AppProService, AppProReceiver and AppProWorker.

Integration of SDK into project at development time
(Source: HUMAN Threat Intelligence)

Satori identified hundreds of apps in online third party repositories containing these IOCs, mainly “mods” distributed outside of the Google Play Store. We also found multiple developers who integrated the LumiApps SDK into their apps and distributed them in the Google Play Store.

One application with the LumiApps SDK installed
(Source: HUMAN Threat Intelligence)

These applications work very similarly to the applications analyzed as part of the first version of PROXYLIB threat. The AppProService class contains all of the malicious code to obtain the C2 server domain and load the libgojni.so native library. The AppProWorker and the AppProReceiver classes are simply responsible for starting the service. The former starts the service when the application runs for the first time, and the latter enables the service’s persistence and executes whenever the device is booted.

To obtain the C2 address, the application connects with either app-sdk-reg or app-sdk-poll endpoints on api[.]lumiapps[.]io/api/v1/clients and returns the C2 in the “signaling” JSON key and locally stores it in the shared preferences with the same.

LumiApps server that returns the C2 domain
(Source: HUMAN Threat Intelligence)

Just as with the first version of PROXYLIB, the C2 URL is provided as an argument for the proxylib.Proxylib.startServer method that executes native code as seen below.

Call to the startServer function in the PROXYLIB library with the C2 server as argument
(Source: HUMAN Threat Intelligence)

Monetizing PROXYLIB: Asocks

Satori researchers believe the threat actor behind PROXYLIB is selling access to the proxy network created by the infected devices through Asocks, a company that advertises itself as a seller of residential proxies. While monitoring the traffic from the PROXYLIB applications, Satori researchers observed several connections being made to asocks[.]com, a residential proxy network.

The Asocks website provides no information on how their residential proxies are obtained. One of the sentences of the Terms of Service references a sentence that can be interpreted as the definition of proxy service.

Linking Asocks to PROXYLIB

The Asocks platform allows users to create and manage their proxy connections and exit points, while it offers proxy nodes for nearly all countries, the availability of residential exit points varies significantly by country.

Country selection menu
(Source: HUMAN Threat Intelligence)

Of the more than 150,000 combinations of IP addresses and port numbers returned by an Asocks proxy-list endpoint, HUMAN found only 170 unique IP addresses that we believe are the proxy entry points.

After observing requests from the PROXYLIB malware directly to asocks[.]com, Satori researchers observed requests made to Asocks exiting through our infected test device, indicating that the device was now enrolled as a proxy node in the Asocks residential proxy network. This can be observed in the following screenshots: the first screenshot shows the IP of our Android test device with the PROXYLIB malware installed, and the second screenshot shows the exit IP address of a different device using the Asocks residential proxy service. Notice that the second device’s traffic is exiting through the test device’s IP address.

IP address of infected device
(Source: HUMAN Threat Intelligence)

Request from the client machine returning the IP address of our lab device
(Source: HUMAN Threat Intelligence)

Monetizing LumiApps SDK via Asocks

The threat actor behind PROXYLIB makes money by selling access to the residential proxy network to others. As a result, the threat actor must incentivize developers or other threat actors to build the LumiApps SDK and platform into their apps to ensure that as many proxy nodes are enrolled in the network as possible. 

The LumiApps platform promotes itself and its SDK as an alternative app monetization method to rendering ads to users. According to their FAQ and available information, the platform rewards developers with cash payment based on the amount of traffic that gets routed through user devices.

Cashout options, allows for payments in Paypal and crypto currencies
(Source: HUMAN Threat Intelligence)

There is specific language that attempts to legitimize the SDK, including a dialog box that purports to get user consent to the proxy service.

User consent screen shown in the lumiapps[.]io claims to render on a users device for each SDK integration
(Source: HUMAN Threat Intelligence)

The LumiApps SDK contains a sample MainActivity class that is responsible for showing the consent screen above, but HUMAN did not observe the class in any of the applications found in the wild. Furthermore, uploading an APK into the LumiApps tool does not add the disclosure message class to the final APK, it simply adds the backdoor code.

Sample MainActivity class with showTermsDialog that shows the disclosure
(Source: HUMAN Threat Intelligence)

Disclosure not present in a testing application uploaded to the automatic integration
(Source: HUMAN Threat Intelligence)

The threat actors behind LumiApps seek to recruit developers and other users to their platform to increase the number of users whose devices become nodes in their residential proxy network. Satori researchers found several instances of LumiApps promoting its SDK on social media and in hacker forums, showing that the threat actors target legitimate developers as well as cybercriminals.

Social media presence, profiles were also found on Facebook and X
(Source: HUMAN Threat Intelligence)

User newxomia promoting the Lumiapps SDK in Blackhat Forums
(Source: HUMAN Threat Intelligence)

Connecting LumiApps to Asocks

Satori researchers identified a connection between Asocks—the seller of residential proxies described above—and LumiApps through registration data from LumiApps platform. When a user registers an account on lumiapps[.]io, the headers from the confirmation email contain the domain bproxy[.]one, which no longer has an accessible web page. However, when searching for this domain on archive[.]org, there was a non-stylized version of the Asocks website as recently as February 23, 2023, as seen in the image below. As a result, Satori researchers have high confidence that the two services are connected and potentially owned or operated by the same threat actor.

Email header of from LumiApps[.]io when registering a new account
(Source: HUMAN Threat Intelligence)

Conclusion

At the time of the writing of this report, 28 applications containing the PROXYLIB SDK identified in this report have been removed from the Play Store and HUMAN continues to work to disrupt the threat posed by PROXYLIB. 

However, the threat actor continues to operate the LumiApps platform and release new versions of the SDK that can be built into additional apps. As a result, we expect to see the threat actor continue to evolve their TTPs in order to continue selling access to the residential proxy network generated by apps containing PROXYLIB. HUMAN Bot Defender blocked the vast majority of the traffic from IPs associated with Asocks that were used in ATO, scraping, scalping and other related attacks This is an ongoing investigation and effort to block malicious threat actors and fraud operations as cybercriminals continue to update the malicious SDKs. 

HUMAN recommends that users download mobile apps exclusively from official marketplaces, such as the Google Play Store or iOS App Store. Further, users should avoid clones or “mods” of popular apps which may allow malware or undesired functionality such as the PROXYLIB residential proxy node enrollment discussed in this report to masquerade as benign software.

Residential proxy networks aren’t going away, but HUMAN protects customers against many common attacks conducted using proxy networks. Account takeover attacks, programmatic ad fraud, web scraping, and transaction abuse all often operate through proxy networks as a mechanism to hide the true source of fraudulent traffic. But the Human Defense Platform doesn’t rely on IP addresses—the characteristic masked by using a residential proxy—to determine whether traffic is fraudulent or legitimate.

HUMAN will continue to monitor for adaptations of PROXYLIB and for attacks carried out through residential proxy networks.

Applications Uncovered and Removed as Part of the PROXYLIB Investigation

• app.litevpn.android
• com.anims.keyboard
• com.blazestride
• com.bytebladevpn
• com.captaindroid.android12.launcher
• com.captaindroid.android13.launcher
• com.captaindroid.android14.launcher
• com.captaindroid.feeds
• com.captaindroid.free.old.classic.movies
• com.captaindroid.phone.comparison
• com.fastflyvpn
• com.fastfoxvpn
• com.fastlinevpn.android
• com.funnychar.ginganimation
• com.limo.edges
• com.okovpn.app
• com.phone_app.launcher
• com.quickflowvpn
• com.samplevpn
• com.securethunder
• com.shinesecure
• com.speedsurf
• com.swiftshield.android
• com.turbotrackvpn
• com.turbotunnelvpn
• com.yellowflashvpn
• io.vpnultra
• run.vpn