More than 15 free VPN apps on Google Play were found to use malicious software development kits (SDKs) that turn devices into unwanted residential proxies that can be exploited by cybercriminals. Residential proxies allow anonymous web browsing by borrowing residential IP addresses from other users' devices.

While residential proxies are often used for legitimate purposes like market research, ad verification, SEO, many cybercriminals use them to hide malicious activities like ad fraud, spam, phishing, credential stuffing, and password spraying.

Many free apps on the Google Play Store can turn your device into a tool for cybercriminals. (Photo: Bleepingcomputer)

Users can voluntarily sign up for proxy services to earn money or receive rewards, but some proxy services use shady and unethical methods to secretly install proxy tools on people's devices, leaving victims with unknowingly hijacked Internet bandwidth and at risk of legal trouble if malicious behavior occurs.

Security firm Human’s Satori cyber intelligence unit has listed 28 apps on Google Play that secretly turn Android devices into proxy servers. Of these, 17 exist as free VPN software. All use the LumiApps SDK that includes “Proxylib,” a Golang library for implementing proxies.

Human discovered the first app containing Proxylib in May 2023, which was a VPN app called Oko VPN. After investigating, the company announced 28 apps that use the ProxyLib library to turn Android devices into proxies, which are:

Lite VPN

Anims Keyboard

Blaze Stride

Byte Blade VPN

Android 12 Launcher (by CaptainDroid)

Android 13 Launcher (by CaptainDroid)

Android 14 Launcher (by CaptainDroid)

CaptainDroid Feeds

Free Old Classic Movies (by CaptainDroid)

Phone Comparison (by CaptainDroid)

Fast Fly VPN

Fast Fox VPN

Fast Line VPN

Funny Char Ging Animation

Limo Edges

Ok VPN

Phone App Launcher

Quick Flow VPN

Sample VPN

Secure Thunder

Shine Secure

Speed ​​Surf

Swift Shield VPN

TurboTrack VPN

LumiApps is an Android app monetization platform. Its SDK uses the device's IP address to load web pages in the background and send the retrieved data to companies. The company claims this is fully compliant with data regulations.

Following Human's report, Google removed all apps using the LumiApps SDK from the Play Store in February 2024 and updated Google Play Protect to detect LumiApps libraries in apps. Meanwhile, some removed apps have reappeared on the Play Store, possibly because the developers removed the LumiaApps SDK.

To protect themselves, users of any of the above apps should delete them from their devices. Additionally, using paid VPN apps can be safer than free services.

(According to Bleepingcomputer)