Stealth Proxies: The Hidden Cost of Free VPN Apps on Android

TLDR; More than 15 free VPN apps on Google Play secretly turned Android devices into proxies for potentially malicious activities, leveraging a covert SDK. This discovery underscores the risks associated with free VPN services and serves as a cautionary tale for users to prioritize privacy and opt for paid, reputable VPN solutions.

In a revealing investigation, it has emerged that over 15 free VPN applications available on Google Play covertly transformed Android smartphones into proxies, serving as a conduit for potentially unlawful activities. These apps were discovered to harness a malicious software development kit (SDK) that clandestinely enrolled users’ devices into a network of residential proxies—devices that reroute internet traffic, making it seem legitimate. This manipulation potentially ropes unsuspecting individuals into a web of cybercrime, spanning ad fraud, phishing, and more.

The implications are profound. Residential proxies, while having legitimate uses such as market research, are also a favored tool for cybercriminals to obscure their tracks. The affected Android VPN apps, identified by the HUMAN’s Satori threat intelligence team, leveraged the “Proxylib” library from LumiApps SDK to perform this surreptitious proxying. Notably, these apps, including popular titles like Oko VPN and Lite VPN, did so without user consent, hijacking their internet bandwidth and implicating them in the malfeasance conducted through their devices.

LumiApps’ platform, under scrutiny, purported to use devices’ IP addresses to gather publicly available web data—a seemingly innocuous activity that belies the potential for misuse. This raises questions about the complicity or ignorance of app developers in this scheme, highlighting a critical oversight in safeguarding user privacy and security.

Google’s response was to purge the Play Store of these infringing apps and enhance Play Protect’s detection capabilities. However, the reappearance of many of these apps under different developer accounts suggests a persistent challenge in effectively policing such deceptive practices.

For users, the lesson is stark: the allure of free VPN services comes with hidden risks, not least being ensnared in a cybercriminal network. Opting for reputable, paid VPN services offers a safeguard against such exploitation, underscoring the adage that if a product is free, you may well be the product.