Morrissey Technology

Loading

VPN Malware

Watch Out For 28 VPNs and This Application is Listed as a Google Warning Indicating Malware

Morrissey Technology – The use of VPNs has surged in recent years along with the growing need to browse the web more safely and avoid geo-fenced content.

Millions of people have installed VPNs on their Android phones, but it’s a good idea to pay attention to these warnings before downloading a new VPB on your device.

The HUMAN team of cybersecurity experts at Satori threat intelligence has issued a warning after discovering some VPN malware and bad software.

Once installed, they can use a new threat, called PROXYLIB, to carry out ad fraud as well as phishing for personal data and password spraying. This is a brute force attack that attempts to break into accounts using passwords found in previous data breaches.

Even more concerning, all the apps found to contain the malware were available through the Google Play Store, meaning millions of people may have been able to access them.

All of them have been banned by Google but this serves as a reminder to be careful before installing new software.

“The Satori Threat Intelligence HUMAN team recently identified a group of VPN apps available on the Google Play Store that turn users’ devices into proxy nodes without their knowledge,” the team explained in a blog post.

“The 28 apps containing the PROXYLIB SDK identified in this report have been removed from the Play Store and HUMAN continues to work to stop the threat posed by PROXYLIB.”

It has been confirmed that the Google Play Protect service will help stop PROXYLIB FOR4D attacks in the future, so it’s best to make sure this function is enabled.

Unfortunately, the Satori Threat Intelligence team says more attacks are possible and Android users should remain vigilant when installing a new VPN.

“We hope that threat actors will continue to develop their TTPs to continue selling access to residential proxy networks generated by applications containing PROXYLIB,” Satori added as reported by the Mirror.

“HUMAN recommends that users download mobile applications exclusively from official marketplaces, such as the Google Play Store or iOS App Store. Furthermore, users should avoid clones or “mods” of popular applications that may allow malware or unwanted functions such as the PROXYLIB residential proxy registration of the nodes discussed in this report to masquerade as harmless software.”

You can find a complete list of apps expected to be impacted by Google’s ban. It is currently unclear whether developers knew their apps were infected with the threat or whether they were added later by cybercriminals.

The following is a list of applications affected by Google’s ban :

• Lite VPN

• Anims Keyboard

• Blaze Stride

• Byte Blade VPN

• Android 12 Launcher

• Android 13 Launcher

• Android 14 Launcher

• CaptainDroid Feeds

• Free Old Classic Movies

• Phone Comparison

• Fast Fly VPN

• Fast Fox VPN

• Fast Line VPN

• Funny Char Ging Animation

• Limo Edges

• Oko VPN

• Phone App Launcher

• Quick Flow VPN

• Sample VPN

• Secure Thunder

• Shine Secure

• Speed Surf

• Swift Shield VPN

• Turbo Track VPN

• Turbo Tunnel VPN

• Yellow Flash VPN

VPN Hack

List of Free VPNs that Hijack Android Phones

Morrissey TechnologyVirtual Private Networks (VPN) is one way that can provide more security, and can even bypass certain network filters when surfing in cyberspace. However, currently there are a number of VPNs that can hijack Android phones.

A report revealed that more than 15 free VPN apps on Google Play were found to use malicious software development kits that turn Android devices into residential proxies. This is most likely used for cybercrime and shopping bots.

Residential proxies are devices that route internet traffic through devices located at home to other remote users, so that the traffic appears genuine and is less likely to be blocked.

While they have legitimate uses for market research, ad verification, and SEO, many cybercriminals use them to hide malicious activity, including ad fraud, spamming, phishing, credential stuffing, and password theft.

A report published by HUMAN’s Satori Slot Pulsa threat intelligence team lists 28 apps on Google Play that secretly turn Android devices into proxy servers. Of these 28 apps, 17 of them are declared as free VPN software.

Satori reported all of the offending apps used a software development kit (SDK) from LumiApps that contained “Proxylib,” a Golang library for proxying.

HUMAN discovered the first PROXYLIB carrier app in May 2023, a free Android VPN app called “Oko VPN.” The researchers then discovered the same library used by the Android app monetization service LumiApps.

“In late May 2023, Satori researchers observed activity on hacker forums and new VPN apps that referenced the monetization SDK FOR4D, lumiapps[.]io,” Satori’s report explains.

“After further investigation, the team determined the SDK had exactly the same functionality and used the same server infrastructure as the malicious application analyzed as part of the investigation into previous versions of PROXYLIB.”

Subsequent investigation revealed 28 apps that used the ProxyLib library to turn Android devices into proxies. Here’s the list :

1. Lite VPN
2. Anims Keyboard
3. Blaze Stride
4. Byte Blade VPN
5. Android 12 Launcher (by CaptainDroid)
6. Android 13 Launcher (by CaptainDroid)
7. Android 14 Launcher (by CaptainDroid)
8. CaptainDroid Feeds
9. Free Old Classic Moves (by CaptainDroid)
10. Phone Comparison (by CaptainDroid)
11. Fast Fly VPN
12. Fast Fox VPN
13. Fast Line VPN
14. Funny Char Ging Animation
15. Limo Edges
16. Oko VPN
17. Phone App Launcher
18. Quick Flow VPN
19. Sample VPN
20. Secure Thunder
21. Shine Secure
22. Speed Surf
23. Swift Shield VPN
24. Turbo Track VPN
25. Turbo Tunnel VPN
26. Yellow Flash VPN
27. VPN Ultra
28. Run VPN

HUMAN believes the malicious apps are linked to Russian residential proxy service provider ‘Asocks’ after observing connections made to the proxy provider’s website. Asocks services are usually promoted to cybercriminals on hacking forums.

Following the HUMAN report, Google removed all new and existing apps using the LumiApps SDK from the Play Store in February 2024 and updated Google Play Protect to detect LumiApp libraries used in apps.

However, many of the apps listed above are now available again on the Google Play Store. This may be because the developer has removed the violating SDK.

Or it could be that the applications were published from different developer accounts, which could potentially indicate a ban on the previous account.