Beware: the free Android VPN app can hijack your device
Nearly two dozen free Android VPN apps effectively turned host devices into residential proxies, researchers have revealed. All apps were subsequently removed from the Play Store, with some making a comeback after cleaning up their code.
Cybersecurity researchers from HUMAN’s Satori Intelligence Team recently discovered a total of 28 apps, all of which had the “Proxylib” software development kit (SDK). Built in the Golang programming language, this SDK is designed to perform proxying, a process of routing Internet traffic through third-party devices.
All apps were subsequently removed from the Play Store, with some making a comeback after cleaning up their code.
Russian fingers
While proxying has its legitimate, legal use cases, it is most likely criminal if it is not clearly stated in the app. Hackers use it to hide their traffic while committing ad fraud, phishing, and more.
Of the 28 apps, 17 were free VPN apps. Here’s the full list:
- Lite VPN
- Anims keyboard
- Blaze step
- ByteBlade VPN
- Android 12 Launcher (by CaptainDroid)
- Android 13 Launcher (by CaptainDroid)
- Android 14 Launcher (by CaptainDroid)
- CaptainDroid Feeds
- Free Old Classic Movies (by CaptainDroid)
- Phone Comparison (by CaptainDroid)
- Fast Fly VPN
- Fast Fox VPN
- Fast Line VPN
- Funny Char Ging animation
- Limousine edges
- Okay VPN
- Phone app launcher
- Quick Flow VPN
- Sample VPN
- Safe thunder
- Shine safely
- Speed surfing
- Swift Shield VPN
- TurboTrack VPN
- Turbo Tunnel VPN
- Yellow flash VPN
- VPN Ultra
- Run VPN
The researchers speculate that these apps are linked to Asocks, a Russia-based proxy service provider, as many apps are connected to the Asocks website, and the Asocks service is often promoted to cybercriminals on hacking forums.
After discovering the apps, Google removed them all from the Play Store, with some reappearing, possibly after removing the malicious SDK.
Users would be wise to double check if their apps are still listed in the Play Store and uninstall them if they are not. Alternatively, they should at least keep them updated to the latest version.
Through BleepingComputer