Another warning has suddenly been issued, as dangerous apps are found hiding on Google’s Play Store, tricking users into putting their phones and data at risk…
Google is fighting a never-ending battle to rid its Play Store of dangerous malware; with each published security report, the list of those dangerous apps grows ever longer. The advice, though, doesn’t change—delete these apps today.
The latest report comes courtesy of Human’s Satori Threat Intelligence. and warns that a family of rogue VPN apps powered by a malicious SDK managed to bypass Google’s defenses to turn Android phones into proxies on a malicious network for hire. Once installed, the apps hide the source of their commands, opening the door to a range of attacks, all of which are dangerous. Google has removed the offending versions of the apps from Play Store—that never-ending cycle continues.
Because the apps were made malicious by way of that SDK, it might be that they return to Play Store with the SDK removed. But you should delete any you have on your phone and then—if you must, given their trivial nature—reinstall them afresh.
The researchers behind this report explain that the use of so-called residential proxies, or network obfuscation, “can be used by threat actors to hide malicious activity, including password spraying, large-scale advertising fraud or credential stuffing attacks. When a threat actor uses a residential proxy, the traffic from these attacks appears to be coming from different residential IP addresses instead of an IP of a data center or other parts of a threat actor’s infrastructure.” Clearly, those proxy phones create a clean, expanding network of seemingly innocent IP addresses.
Such residential proxies can be used by legitimate businesses to enable web-scraping and other irritating activities that networks might otherwise detect and block. As the FBI warned last year on such techniques, “cyber criminals have relied extensively on the use of residential proxies, which are connected to residential internet connections and therefore are less likely to be identified as abnormal… Actors may opt to use proxies purchased from proxy services, including legitimate proxy service providers, to facilitate bypassing a website’s defenses by obfuscating the actual IP addresses, which may be individually blocked or originate from certain geographic regions.”
As regards this latest campaign, the team’s investigation started with a free Android VPN called Oko VPN identified as a threat in 2023. “The application enrolls the user in a proxy network and receives instructions from a series of command-and-control (C2) servers for port/IP connections. After the enrollment, the infected device relays web requests to email sites, online retailers, Twitch streaming platforms, and more.”
Interestingly, that particular VPN also has an iOS app, but “Satori confirmed that the iOS version of the app was not malicious.”
The rogue apps—now removed from Play Store are listed below. As ever, now the threat has been identified, Google’s Play Protect will prevent future installs of versions of any of these apps with the rogue SDK still present. But that will not cleanse any current installs. As above, delete now and reinstall later—if you must.
- Lite VPN
- Anims Keyboard
- Blaze Stride
- Byte Blade VPN
- Android 12 Launcher
- Android 13 Launcher
- Android 14 Launcher
- CaptainDroid Feeds
- Free Old Classic Movies
- Phone Comparison
- Fast Fly VPN
- Fast Fox VPN
- Fast Line VPN
- Funny Char Ging Animation
- Limo Edges
- Oko VPN
- Phone App Launcher
- Quick Flow VPN
- Sample VPN
- Secure Thunder
- Shine Secure
- Speed Surf
- Swift Shield
- Turbo Track VPN
- Turbo Tunnel VPN
- Yellow Flash VPN
- VPN Ultra
- Run VPN
The Human team used the malicious library within that first VPN to track down the others. “These apps all included a malicious library which establishes a bidirectional connection to a proxy network, turning the device into a residential proxy node without the user’s awareness… The majority masquerade as free VPN apps.”
The infected devices create a network of proxies, and the threat actor behind the campaign can then sell access to that network. The team warns that “we expect to see the threat actor continue to evolve their TTPs in order to continue selling access to the residential proxy network,” given its continued development.
That said, if you follow the five golden rules then attacks like this won’t impact you:
- Stick to official app stores—don’t use third-party stores and never change your device’s security settings to enable an app to load.
- Check the developer in the app’s description. Avoid free apps unless you’re clear how the developer is generating income or it’s a household name. And check the reviews, do they look legitimate or farmed?
- Do not grant permissions to an app that it should not need: torches and star-gazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you have a need.
- Never ever click links in emails or messages that directly download apps or updates—always use app stores for installs and updates.
- Do not install apps that link to established apps like WhatsApp unless you know for a fact they’re legitimate—check reviews and online write-ups.
Google’s advice on such matters is to stick to Play Protect, having assured that “Android users are automatically protected against known versions of malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
I have approached them for any additional comments here.
The use of VPNs to mask an attack is ironic, as VPNs are intended to secure devices and their traffic, and are highly recommended when traveling or accessing public, hotel or restaurant Wi-Fi. That means the VPN you choose is critical.
Just because a developer says its app is a VPN is not in of itself a badge of security or legitimacy—there’s no certification process they undergo. I would highly recommend a paid VPN given its importance—they’re not expensive. And definitely nothing from an unknown developer. Stick to household names.
Meanwhile, the cycle continues, so watch this space…
