The Satori Threat Intelligence Team from HUMAN recently discovered a series of VPN applications from the Google Play Store that covertly turned devices into proxy nodes. The security team named the operation PROXYLIB, linked to a specific Golang library used in the apps.
The first VPN app that exhibited malicious behavior was Oko VPN, discovered in May 2023. Further investigation into Oko VPN led Satori researchers to identify 28 more apps connected to PROXYLIB.
Right now, Android users receive automatic protection against PROXYLIB through Google Play Protect, which should guards against apps showing malicious behavior.
A Proxy Market
This cybersecurity incident disclosed an entire network involving residential proxies, exposing its extensive use in a variety of cyber-attacks. The devices range from personal computing to IoT gadgets, and also expanding through to infected devices extending to individuals that are willingly joining these networks.
How to Protect Yourself
Firstly, Android users should limit their installations to essential apps, even when downloading from the Google Play Store. A good practice is investigate the credibility of the app as well as the developer behind it.
If infected, certain types of router malware that reside solely in memory can be eliminated with a simple reboot.
Invest in a dedicated access point, such as those offered by Ubiquiti or Tp-link, and pair it with an open-source router/firewall like Opnsense that benefits from frequent updates.
Photo by AS Photography.