By NewsBlogger The discovery of malicious Android apps on the Google Play Store turning devices into residential proxies for threat actors has led to the removal of 29 apps, highlighting the importance of security solutions like EventSentry for organizations to prevent, detect, and respond to cyber attacks.
At a glance
- Malicious Android apps on Google Play Store turned devices into residential proxies for threat actors.
- Operation PROXYLIB involved a cluster of VPN apps with the Golang library; Google removed 29 apps.
- Threat actors use residential proxies to conceal IP addresses and carry out attacks.
- LumiApps SDK is used for proxyware functionality in some malicious apps.
- DinodasRAT malware targeting Red Hat and Ubuntu systems, a Linux variant designed for monitoring and data exfiltration.
The details
A recent discovery by HUMAN’s Satori Threat Intelligence team has revealed a concerning trend of malicious Android apps on the Google Play Store turning devices into residential proxies for threat actors.
This operation, known as PROXYLIB, involved a cluster of VPN apps containing a Golang library, leading to the removal of 29 apps by Google.
Residential proxies are utilized by threat actors to conceal their IP addresses, routing traffic through intermediary servers to mask origins and carry out attacks.
Malware Distribution
Malware operators can create networks by deceiving users into installing these apps on their Android devices.
Once infected, these devices become part of the network and process requests, potentially endangering users.
Some of these malicious apps have been found to incorporate an SDK from LumiApps for proxyware functionality.
Threat Actor Tactics
LumiApps allows users to upload APK files and bundle the SDK without creating an account, facilitating the distribution of modified apps within and outside of the Google Play Store.
The threat actor behind PROXYLIB has been selling access to the proxy network through LumiApps and Asocks, with LumiApps offering cash rewards to developers based on the traffic routed through user devices.
In a separate incident, Red Hat and Ubuntu systems have been targeted by a Linux version of the DinodasRAT malware since 2022. While the Linux variant of the malware has not been publicly described, it has been traced back to 2021. ESET has observed DinodasRAT compromising Windows systems in an espionage campaign targeting government entities, while Trend Micro reported that a Chinese APT group known as ‘Earth Krahang’ used XDealer to breach Windows and Linux systems of governments worldwide.
The Linux variant of DinodasRAT is specifically designed to monitor, control, and exfiltrate data from compromised systems, primarily focusing on Linux servers.
Infected machines are tagged with infection, hardware, and system details, with reports sent to a command and control (C2) server via TCP or UDP communication.
The malware employs the Tiny Encryption Algorithm (TEA) in CBC mode for secure data exchange, granting attackers full control over compromised systems.
Despite the availability of security solutions, organizations continue to fall victim to ransomware and other threats, with small and mid-size businesses increasingly targeted due to underfunded IT departments.
EventSentry, a security solution, offers an agent-based monitoring framework for detailed endpoint monitoring, validation scripts to enhance endpoint security, and compliance reports with dashboards.
It also provides a free 30-day evaluation for interested parties.
These measures are essential for organizations to effectively prevent, detect, and respond to cyber attacks, especially in light of evolving threats and sophisticated attack vectors.
Article X-ray
Sources
Here are all the sources used to create this article:
Facts attribution
This section links each of the article’s facts back to its original source.
If you suspect false information in the article, you can use this section to investigate where it came from.
| thehackernews.com |
|---|
| – Malicious Android apps on Google Play Store turn devices into residential proxies for other threat actors – HUMAN’s Satori Threat Intelligence team discovered the cluster of VPN apps with Golang library – Operation codenamed PROXYLIB, 29 apps removed by Google – Residential proxies hide IP addresses by routing traffic through intermediary servers – Threat actors use residential proxies to obfuscate origins and conduct attacks – Networks can be created by malware operators tricking users into installing apps – Android VPN apps enroll infected devices to network and process requests – Some apps incorporate SDK from LumiApps for proxyware functionality – LumiApps allows users to upload APK files and bundle SDK without creating an account – Modified apps distributed in and out of Google Play Store – Threat actor behind PROXYLIB selling access to proxy network through LumiApps and Asocks – LumiApps offers cash rewards to developers based on traffic routed through user devices – Residential proxies part of fragmented yet interconnected ecosystem – Proxyware services advertised in various ways, lack of transparency leads to users sharing Internet connection – End-of-life routers and IoT devices compromised by botnet TheMoon for criminal proxy service Faceless |
| bleepingcomputer.com |
|---|
| – Red Hat and Ubuntu systems have been targeted by a Linux version of the DinodasRAT malware since 2022 – The Linux variant of the malware has not been publicly described, but the first version was tracked to 2021 – ESET has seen DinodasRAT compromising Windows systems in an espionage campaign targeting government entities – Trend Micro reported that a Chinese APT group known as ‘Earth Krahang’ used XDealer to breach Windows and Linux systems of governments worldwide – The Linux variant of DinodasRAT creates a hidden file in the directory where its binary resides to prevent multiple instances from running – The malware sets persistence on the computer using SystemV or SystemD startup scripts and executes once more while the parent process waits – Infected machines are tagged using infection, hardware, and system details and the report is sent to the command and control (C2) server – Communication with the C2 server occurs via TCP or UDP, and the malware uses the Tiny Encryption Algorithm (TEA) in CBC mode for secured data exchange – DinodasRAT is designed to monitor, control, and exfiltrate data from compromised systems – Researchers note that the malware gives the attacker complete control over compromised systems, primarily targeting Linux servers – Kaspersky reports that since October 2023, the malware has affected victims in China, Taiwan, Turkey, and Uzbekistan |
| thehackernews.com |
|---|
| – Despite available security solutions, organizations are falling victim to Ransomware and other threats – Small and mid-size businesses are increasingly targeted due to underfunded IT departments – Complex enterprise security solutions are often out of reach for many companies – Volume-based products incentivize users to collect less data to save funds – Logs are crucial for monitoring efforts, especially on Windows platform – Logs going into a SIEM are only as good as the logs produced by the OS – EventSentry validates audit settings on endpoints and blocks unnecessary events – Visibility is key to detecting and defending against malicious activity – EventSentry offers agent-based monitoring framework for detailed endpoint monitoring – EventSentry encourages users to reduce the number of monitoring tools used – A layered approach is essential for cybersecurity – EventSentry helps prevent, detect, and respond to attacks – Most malware attacks start with delivery through phishing emails or social engineering – EventSentry helps reduce attack surface and detect unusual activity – EventSentry can detect malware persistence through various methods – Validation scripts increase security of endpoints – Vulnerability scanners have limited insight into Windows systems – Validation scripts protect endpoints from the inside out – EventSentry continuously performs checks to ensure network security – EventSentry includes features to detect malware propagation – EventSentry can detect unusual CPU activity and network traffic during execution phase – EventSentry provides visibility into networks and strengthens baseline security – EventSentry offers compliance reports with dashboards and an excellent ROI – Free 30-day evaluation of EventSentry available for download |
