The rise of free VPN apps for Android has brought with it new cybersecurity threats. Among the most dangerous is PROXYLIB, a malicious library that has infected dozens of Google Play Store apps, transforming smartphones into residential proxy nodes without consent. What does this mean for users? Real risk of personal and banking data leaks, account loss, illegal use of your resources, and possible crimes committed from your IP.. Discover which apps you should delete immediately, how to identify risks, and why vigilance is more important than ever when downloading apps to your mobile.
What is PROXYLIB and how does it work in fraudulent VPN apps?
PROXYLIB is a malicious library integrated into applications that appear to be legitimate, especially in free VPN services and related apps (such as launchers, keyboards, and utilities). Its main function is to turn Android devices into residential proxy nodes so that cybercriminals can use your Internet connection to mask fraudulent and criminal activities.
Operation:
- The infected app installs the “libgojni.so” library (developed in Golang) in a hidden manner.
- Without the user's knowledge, the device registers with a control network (C2) where it receives external commands to route foreign traffic.
- El malware consumes bandwidth, mobile resources and battery, and may cause slowness, overheating or excessive data usage.
- All of this activity remains hidden, camouflaged by permissions and background services that go unnoticed.
- Proxy access sold to third parties (other cybercriminal groups), which use your IP address to carry out attacks, online fraud, spam, identity theft, and more.
In many cases, developers of affected apps have integrated PROXYLIB, lured by promises of monetization: the LumiApps SDK offered "traffic revenue" in exchange for installing the malicious code, without the user being aware of it or receiving any reliable warning.
Why is this threat so dangerous? Risks to the user
PROXYLIB infection is not immediately visible and does not cause alarming symptoms, but its consequences can be very serious:
- Loss of privacy: Your internet connection becomes a vehicle for illegal or suspicious activities. IP spoofing can affect your device without your knowledge.
- Leaked personal, banking and password data: Many of these apps collect information about the network, data traffic, logins, browsing history, and credentials, which end up in the hands of cybercriminals or are sold on underground markets.
- Unintentional participation in cybercrimes: Attackers can use your network to Bank fraud, DDoS attacks, online scams, and money laundering on a large scale, putting your reputation and legal security at risk.
- Unjustified consumption of resources: Using a proxy node increases data traffic, causes rapid battery drain, and slows down normal mobile operation.
- Compromising Device Security: The affected apps open backdoors that can be exploited by other malware, increasing the chances of reinfection or further data theft.
How the scam was uncovered: HUMAN Threat Intelligence's investigation
The operation was identified and documented by HUMAN Security's Satori Threat Intelligence team, who first detected the suspicious behavior in Okay VPN, a free VPN available on Google Play. After a thorough analysis, the existence of a malicious campaign with global reach based on the PROXYLIB library and the LumiApps SDK, affecting multiple applications (mainly VPN, but also launchers, keyboards and utility apps).
The research showed:
- The network of proxy nodes created by the infected apps was offered commercially on platforms such as Asocks, allowing third parties to operate from the IP addresses of real users.
- More than 100,000 were identified. 150.000 combinations of IP addresses and ports, although the real infrastructure was based on thousands of exposed victims around the world.
- The LumiApps Kit allowed APKs (installable Android apps) to be modified without access to the original source code, thus facilitating the proliferation of malware in "modified" versions of popular apps.
- Google removed many of the affected apps from the Play Store after receiving the report, but some managed to return under different developer names or continue to circulate in third-party stores.
The ease with which developers could monetize user traffic made this attack especially lucrative and dangerous, as The economic incentive facilitated its rapid expansion.
Updated list of VPN apps infected with PROXYLIB and other malicious apps
If you have any of these apps installed on your Android device, you must uninstall it immediately, erase all your data, and run a trusted antivirus. Learn how to remove them.
- Android 12 Launcher
- Android 13 Launcher
- Android 14 Launcher
- Animas Keyboard
- Blaze Stride
- Byte Blade VPN
- CaptainDroid Feeds
- Fast Fly VPN
- Fast Fox VPN
- Fast Line VPN
- Free Old Classic Movies
- Funny Char Ging Animation
- Slime Edges
- LiteVPN
- Okay VPN
- Phone App Launcher
- Phone Comparison
- Quick Flow VPN
- Run VPN
- Sample VPN
- Secure Thunder
- Shine Secure
- Speed Surf
- Swift Shield
- Turbo Track VPN
- Turbo Tunnel VPN
- VPN Ultra
- Yellow Flash VPN
Other highly dangerous fraudulent VPNs detected
In addition, cybersecurity firms such as Kaspersky have warned about other fraudulent VPNs associated with the 911 S5 botnet and illegitimate proxy networks, such as or .
These apps have been responsible for compromising millions of devices and enabling major international fraud and cybercrime.
How can I tell if my phone is infected? Symptoms and detection methods
The PROXYLIB malware is very difficult to detect manually, as it operates in the background and hides its activity. However, some signs may alert you:
- Unexpected mobile data usage even without intensive use of the device.
- Drastic reduction in battery life and overheating of the mobile.
- Slowness or blockages unexpected, especially after installing new apps.
- Strange antivirus notifications or Google Play Protect alerts indicating harmful apps.
- Appearance of installed apps that you don't remember downloading or suspicious permits granted.
To check if you have dangerous apps, use app management apps like App Checker or check the list above directly in your installed apps.
If you have suspicions, immediately pass a scan with a recognized antivirus (such as Avast Mobile Security, Kaspersky Mobile or similar) and remove dangerous apps.
Why are fraudulent free VPNs so prevalent on Google Play and other stores?
El Exponential growth in demand for free VPNs It has been exploited by cybercriminals to disguise malware as privacy and security services. Many users believe an app is safe just because it appears on Google Play or because it boasts "encryption and anonymity."
Factors that favor its spread:
- The ease with which developers can integrate monetization SDKs without extensive review.
- The misconception that free apps don't pose any risks.
- Insufficient review policies in some official stores and, especially, in alternative repositories.
- Appearance of "modified" versions (MODs) of popular apps that integrate malware without the consent of the original author.
- Economic motivations, as developers receive money for every megabyte of traffic redirected from infected phones.
Even after the removal of many apps from the Play Store, They continue to circulate through alternative stores and can be republished under other developers, so the threat remains.
Botnets and Malicious Proxy Networks: How Cybercriminals Profit at Your Expense
The emergence of PROXYLIB and fraudulent VPN applications is connected with the rise of international botnets Such as 911 S5. These vast networks of infected devices allow cybercriminals to "rent" access to thousands of legitimate residential connections, facilitating all kinds of crimes:
- Bank fraud, identity theft and online scams.
- Money laundering and money laundering using IPs of ordinary users.
- DDoS attacks (server saturation) to companies or public organizations.
- Phishing and mass spam campaigns difficult to track due to the multiplicity of IPs involved.
It is estimated that Millions of devices have been taken over by these botnets worldwide, compromising the privacy, integrity, and security of its owners without many ever discovering it.
Protective Measures: How to Avoid Fraudulent VPN Apps and Remove Proxylib Malware
To reduce the risk of infection and remove malware if necessary, follow these basic recommendations:
- Download apps only from official and reputable sources like Google Play (still check permissions, reviews and origin).
- Avoid installing free VPNs or little-known apps with many downloads but unknown developers.
- : Find expert reviews, recent ratings, and safety alerts.
- Use an updated antivirus on your mobile, both to detect threats and to remove dangerous apps or modify suspicious settings.
- Regularly review app permissions and be wary of apps that request excessive access or behave unusually.
- Immediately uninstall any blacklisted apps like the ones we show you and delete all associated data before passing a security analysis.
- Set strong passwords, enable two-step authentication whenever possible, and be alert to strange messages.
At the slightest suspicion of malicious behavior, Turn off your device, uninstall dangerous apps, and contact specialized technical support. if you believe your personal, banking or access data has been exposed.
Are free VPNs reliable? Why it's better to opt for paid services
The appeal of free VPNs is undeniable: they promise anonymity, content unblocking, and privacy at no cost… but In security, cheap is usually expensivePaid VPNs must meet strict quality controls, don't monetize your traffic or sell your data, and offer technical support and reliability.
Free VPNs, with the exception of well-known companies that limit use in their free version, can hide opaque business models, from showing you aggressive advertising to Turn your phone into a proxy network without your knowledge (as in the cases of PROXYLIB and 911 S5).
What should you look for in a reliable VPN?
- Recognized provider with good reviews and a clear privacy policy.
- Whitelisting on cybersecurity portals and absence from reports of dangerous apps.
- Transparency on data use and zero-logging policy (no logs).
- Technical support options and regular updates.
Remember: If you don't pay for the product, you probably are the product.In the case of VPNs, the risk of "giving away" your resources and privacy can have catastrophic consequences.
