Researchers reported that malicious Android applications, including VPN-themed apps and software built with the LumiApps SDK, secretly enrolled users’ devices into a proxy network and routed third-party traffic through them without informed consent. HUMAN’s Satori team said the operation, tracked as PROXYLIB, used a Golang-based native library, libgojni.so, to contact command-and-control servers, register infected phones, and maintain persistent proxy connections through Android services and boot receivers.
The activity was linked to earlier infections found in Oko VPN and 28 related Google Play apps, as well as a later variant that could be embedded during app development or injected into APKs without source-code access. Investigators said the infrastructure and monetization appeared tied to Asocks, a residential proxy service, indicating the compromised devices were likely being sold as proxy exit nodes for cybercriminal use. Google removed the identified apps from Google Play, and Google Play Protect now detects or blocks known PROXYLIB-related applications, while researchers warned the operators are likely to keep shifting to third-party app stores and modified APK distribution.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
HUMAN found that a later variant of the operation used the LumiApps SDK, which could be integrated during app development or injected into APKs without source code access. The SDK used a Golang native library, libgojni.so, to contact command-and-control infrastructure, enroll devices, and maintain persistent proxy connections.
Google removed 28 identified apps from the Play Store after they were linked to the PROXYLIB Android proxy-enrollment operation. Google Play Protect also began detecting or blocking known PROXYLIB-related apps.
HUMAN Security analyzed an earlier PROXYLIB variant observed in Oko VPN and 28 related Google Play apps that covertly enrolled Android devices as residential proxy nodes. The investigation also tied the operation to Asocks, a residential proxy seller believed to monetize traffic routed through affected devices.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
thehackernews.com
Open sourcehumansecurity.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.