As an alternative to advertising, monetization SDKs are being used in apps in Google Play that utilize the phone as a SOCKS proxy. Appthority has already confirmed one major enterprise incident response based on the use of one of these SDKs and the traffic exiting the device.
These SDKs present a clear risk to users and enterprises where there are devices that have apps with these SDKs. For example, enterprises with these SDKs present on their network could be shown as the originating source for rotating web attacks through large numbers of IP addresses or for credit card fraud.
Applications in Google Play referencing these SDKs account for between 62 million and 252 million installs.
SOCKS proxies can help users mask their originating IP address as well as have their traffic route through different countries. Proxies are commonly used for:
- Web developers validating how their site works when accessed via different countries
- Security tools that inspect traffic in real time
- Bypassing government blocking of websites or services.
- Circumventing regional limitations of services such as Netflix or Amazon Prime Video
- Masking original IP address of a vulnerability scan
- Rotating web attacks through large numbers of IP addresses
- Committing credit card fraud
This proxied traffic could route via any network that the mobile device connects to. Additionally, the risks associated with SOCKS proxies can be introduced directly to the enterprise via consumer apps that have nothing to do with the enterprise.
One example of such a SOCKS proxy is MonkeySocks which advertises trustable proxies: “that are not detected as proxy while IP-address belongs to the user which means you are not going to be banned anywhere”.
Another example is Luminati.io which garnered some unfavorable press a couple of years ago. Luminati.io now advertises its benefits as: “Scrape any web data. Never blocked, never cloaked.”
Because of the risks associated with these proxy SDKs, Appthority recommends removing MonkeySocks and Luminati enabled apps from your enterprise environment as part of your organization’s Incident Response process.
Appthority customers are already protected against this threat as part of Appthority MTP’s Managed Trojan App Policy. Appthority customers can also add these new Threat Indicators to their organization’s existing App Policy set. Please reach out to your Appthority account team with any questions.