Cybercriminal threat actors sell access to residential proxy networks to other threat actors who are looking to hide malicious behavior behind residential IPs, including credential stuffing attacks, password spraying or large-scale ad fraud. In May 2023, we identified a cluster of VPN apps available on the Google Play Store that transformed the user’s device into a proxy node without their knowledge. We’ve dubbed this operation PROXYLIB after the common library in each of the apps.
Researchers at IAS identified this malicious behavior in a single free VPN application — Oko VPN— on Google’s Play Store, and projected that the operators earned $2 million a month through conducting ad fraud prior to the app’s removal from the Play Store. Based on further analysis of Oko VPN, Satori researchers uncovered nearly 40 applications related to PROXYLIB. These apps shared a common native library, written in Golang, that enrolls the device as a proxy node.
The team later uncovered a subsequent version of PROXYLIB, offered online via the LumiApps SDK, and other adaptations by the threat actor that used the same Golang library to turn the device into a proxy node. This talk will provide a technical deep-dive into the PROXYLIB Android malware and the related Windows binaries. We will also discuss the attribution of PROXYLIB and how the threat actor was able to use an online residential proxy seller to monetize the campaign. Finally, we will provide an overview of how defenders can mitigate the threat of residential proxies, malicious Android applications and ad fraud as it pertains to these threats.