HUMAN’s Satori Threat Intelligence team recently published their research into an operation we dubbed PROXYLIB. This operation used 28 apps on the Google Play Store to enroll devices as nodes in a proxy network when downloaded - 3 million downloads to be exact - without the consumer ever knowing. This created a large residential proxy network for fraudsters to purchase access to. 

All of the identified malicious Android apps hosted on Google Play have been removed from the store. Android users are automatically protected from this behavior by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.

The PROXYLIB threat actors monetized the scheme by selling access to the network to others.. Once a fraudster had access to the IP, they could conceal their activity. Each one of those nodes can allow a fraudster to swoop in and route their traffic through the user’s IP - completely obfuscating their traffic. The app users would never know that other people’s traffic is coming from their IP. 

For a deep dive into how Satori uncovered this threat and the technical details of this investigation, check out our technical report. 

Residential proxy networks aren’t a new concept, fraudsters have always used them to obfuscate their nefarious activities. This investigation further exemplifies the pervasiveness of residential proxies, and calls out all the different things fraudsters can do when they’re not being traced.

The Impact of Residential Proxy Networks

This isn’t the first time we’ve seen a large-scale operation use residential proxy networks to help facilitate their activities. Last year, the Satori team uncovered an operation we dubbed BADBOX where the fraudsters installed malware on devices and sold them to unwitting consumers, which woke up the malware when the device was plugged in. This allowed for the BADBOX operators to sell access to your home network, which in turn could result in cybercriminal activity being traced to your door.

When a fraudster gains access to a residential proxy, their activity is concealed under the guise of that unknowing user’s IP. It’s basically a costume a fraudster can wear to lurk around the internet - they look like someone else and look like they’re coming from a different part of the world. It certainly makes it easier for them to launch attacks. 

Fraudsters use residential proxies to obfuscate where traffic from attacks are coming from. Instead of the traffic definitely appearing malicious, it looks like it's coming from somebody else’s residential address. These are home IPs that threat actors can buy access to and then use to conduct their attacks, making it a lot easier for them to blend in as a real person. Defenders - like ourselves - are seeing these IPs that don’t seem malicious; it’s not like the traffic is coming from a data center which is easy to detect and block. Also,  when actors use residential IP addresses they are able to use the reputation and history behind it. If you solved CAPTCHAs and browsed the web as yourself, then that reputation is attributed to your IP address. Residential proxies make it harder for defenders to detect the attackers and make it easy for attackers to blend in. 

AI can exacerbate this issue and lower the barrier to entry for new fraudsters. This makes it even harder to detect malicious behavior. 

Once a fraudster gains access to a residential IP, what do they do? Well, unfortunately, a lot of things. Typically we see fraudsters commit account takeover attacks. Account takeovers, or ATO, can give fraudsters the most “bang for their buck.” Purchasing a residential proxy network can be pricey, so if a fraudster uses one, they have a personal interest to get as much value out of it as possible. Depending on the kind of account, fraudsters can gain access to payment or bank information, rewards points, and more. For instance, around the Big Game or other big sporting events, we see a stark increase in ATO attempts on sports betting apps. These are particularly lucrative for fraudsters because those accounts usually hold money, so they’re able to deposit that money to themselves. If a fraudster can make it look like they’re coming from the user’s actual home IP, it makes it that much easier for them to bypass detection and enter the account easily. 

What You Can Do

While this all might sound a bit scary, there are ways that you can protect yourself and your customers from falling victim.

If your business uses customer accounts, then you already know how important account security is. Working with someone that fights account fraud like ATO and fake account creation is imperative to keeping trust with your customers. By protecting your customer’s digital journey, you will not only safeguard their data from these attacks, but you’ll also reduce remediation costs and time for your team. This is especially important if there are hype events in your industry (i.e. The Big Game, Black Friday shopping, etc); those moments are prime for fraudsters as they can hide within the noise.

To learn more about residential proxy networks, join us for a Linkedin Live with one of the threat intelligence researchers who uncovered PROXYLIB.