List of Free VPNs that Hijack Android Phones
-- Virtual Private Networks (VPN) is one way that can provide more security, and can even bypass certain network filters when surfing in cyberspace. However, nowadays there are a number of VPNs that can hijack Android phones.
A report revealed that more than 15 free VPN apps on Google Play were found to use malicious software development kits that turn Android devices into residential proxies. This is most likely used for cybercrime and shopping bots.
Residential proxies are devices that route internet traffic through devices located at home to other remote users, so that the traffic appears genuine and is less likely to be blocked.
Although they have legitimate uses for market research, ad verification, and SEO, many cybercriminals use them to hide malicious activity, including ad fraud, spamming, phishing, credential stuffing, and password theft, reported Bleeping Computer, Wednesday(27/3).
A report published by HUMAN's Satori threat intelligence team lists 28 apps on Google Play that secretly turn Android devices into proxy servers. Of these 28 apps, 17 of them are declared as free VPN software.
Satori reported all of the offending apps used a software development kit (SDK) from LumiApps that contained "Proxylib," a Golang library for proxying.
HUMAN discovered the first PROXYLIB carrier app in May 2023, a free Android VPN app called "Oko VPN." The researchers then discovered the same library used by the Android app monetization service LumiApps. "In late May 2023, Satori researchers observed activity on hacker forums and new VPN apps that referenced the monetization SDK, lumiapps[.]io," Satori's report explains.
"After further investigation, the team determined the SDK had exactly the same functionality and used the same server infrastructure as the malicious application analyzed as part of the investigation into previous versions of PROXYLIB."
Subsequent investigation revealed 28 apps that used the ProxyLib library to turn Android devices into proxies. remember that...! Here's the list:
1. Lite VPN
2. Anims Keyboard
3. Blaze Stride
4. Byte Blade VPN
5. Android 12 Launcher (by CaptainDroid)
6. Android 13 Launcher (by CaptainDroid)
7. Android 14 Launcher (by CaptainDroid)
8. CaptainDroid Feeds
9. Free Old Classic Moves (by CaptainDroid)
10. Phone Comparison (by CaptainDroid)
11. Fast Fly VPN
12. Fast Fox VPN
13. Fast Line VPN
14. Funny Charging Animation
15. Limo Edges
16. OK VPN
17. Phone App Launcher
18. Quick Flow VPN
19. Sample VPN
20. Secure Thunder
21. Shine Secure
22. Speed Surf
23. Swift Shield VPN
24. Turbo Track VPN
25. Turbo Tunnel VPN
26. Yellow Flash VPN
27. UltraVPN
28. Run VPN
HUMAN believes the malicious apps are linked to Russian residential proxy service provider 'Asocks' after observing connections made to the proxy provider's website. Asocks services are usually promoted to cybercriminals on hacking forums.
Following the HUMAN report, Google removed all new and existing apps using the LumiApps SDK from the Play Store in February 2024 and updated Google Play Protect to detect LumiApp libraries used in apps.
However, many of the apps listed above are now available again on the Google Play Store. This may be because the developer has removed the violating SDK.
Or it could be that the applications were published from different developer accounts, which could potentially indicate a ban on the previous account.