[ad_1]
Several malicious Android apps have been observed on the Google Play Store that turn mobile devices running the operating system into residential proxies (RESIPs) for other threat actors.
The findings come from HUMAN’s Satori Threat Intelligence Team, which says clusters of VPN apps included a Golang library that silently turned users’ devices into proxy nodes.
This operation has a code name proxy rib By company. The 29 apps in question have since been removed by Google.
A residential proxy is a network of proxy servers sourced from real IP addresses provided by an Internet Service Provider (ISP) that allows users to hide their real IP addresses by routing their Internet traffic through an intermediate server. Helpful.
Apart from the benefit of anonymity, they are ripe for exploitation by threat actors to not only obfuscate their origins but also to carry out a wide range of attacks.
“When threat actors use residential proxies, the traffic from these attacks appears to come from a different residential IP address, rather than the IPs of the data center or other parts of the threat actor’s infrastructure. ” said the security researcher. “Many threat actors purchase access to these networks to facilitate their operations.”
Some of these networks are created by malware operators to trick unsuspecting users into installing fake apps. The app essentially locks your device into a botnet and monetizes it by selling access to other customers.
The Android VPN apps discovered by HUMAN are designed to establish connections with remote servers, register infected devices with the network, and handle requests from proxy networks.
Another notable feature of these apps is that a subset of apps identified between May and October 2023 incorporate LumiApps’ software development kit (SDK), which includes proxyware functionality. That’s it. In both cases, the malicious functionality is performed using native Golang libraries.
LumiApps also provides a service that basically allows users to upload any APK file containing genuine applications and bundle the SDK without creating a user account. This allows you to re-download the file and share it with others.
“LumiApps helps companies collect publicly available information on the Internet,” the Israeli company says on its website. “Uses the user’s girlfriend’s IP address to load some web pages in the background from a famous his website.”
“This is done in a way that never interrupts users and is fully GDPR/CCPA compliant. The webpage is then sent to businesses, who can improve their databases and provide better products, services, and pricing. use it to provide
These modified apps (called MODs) are distributed both inside and outside the Google Play Store. LumiApps promotes itself and his SDK as an alternative way to monetize your app to rendering ads.
There is evidence that the threat actors behind PROXYLIB sell access to proxy networks created by infected devices through Asocks, a company that promotes LumiApps and residential proxy sellers.
Additionally, in an effort to build the SDK into as many apps as possible and increase the size of the botnet, LumiApps offers cash rewards to developers based on the amount of traffic routed through user devices on which their apps are installed. It offers. SDK services are also promoted on social media and black hat forums.
A recent study published by Orange Cyberdefense and Sekoia characterizes residential proxies as part of a “fragmented but interconnected ecosystem,” and proxyware services are expected to receive voluntary donations. It is promoted in a variety of ways, from dedicated shops to resale channels.
”[In the case of SDKs]“Proxyware is often embedded in products and services,” the companies noted. Users may not be aware that proxyware is being installed when they accept the terms of use of the main application in which it is embedded. This lack of transparency leads users to share proxyware. You are connecting to the internet without a clear understanding. ”
The development comes as Lumen Black Lotus Labs reports that End of Life (EoL) small home/office (SOHO) routers and IoT devices have been hacked by a botnet known as TheMoon to power a criminal agency service called Faceless. This was done after it became clear that it had been compromised.
[ad_2]
Source link
