Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

Fake VPN Apps Turn Victims' Devices into Residential Proxies, Exposing Users to Malicious Traffic


Researchers have uncovered a sophisticated operation involving fake VPN and 7-Zip apps that turn victims' devices into residential proxy nodes, allowing criminals to route malicious traffic through their IP addresses. This reveals a new level of sophistication in cyber attacks and highlights the importance of user vigilance in protecting personal devices and data.

  • Researchers have uncovered a sophisticated operation involving fake VPN and 7-Zip apps that turn victims' devices into residential proxy nodes.
  • The operation, led by the Lurking Lizard threat actor, uses fake apps to route malicious traffic through compromised devices.
  • The fake apps are designed to appear legitimate and install themselves without users' knowledge or consent.
  • The operation has resulted in millions of downloads from app stores, with some apps having over 34,000 reviews.
  • Users should be cautious when installing apps from unfamiliar sources, particularly those claiming to offer VPN services.
  • Regularly updating device software and operating systems is essential to ensure the latest security patches are installed.



  • In a disturbing revelation, researchers have uncovered a sophisticated operation involving fake VPN and 7-Zip apps that turn victims' devices into residential proxy nodes, allowing criminals to route malicious traffic through their IP addresses. The Lurking Lizard threat actor, identified by Infoblox's threat research team, has been at the center of this operation since at least August 2022.

    The concept of residential proxies is simple: a small piece of software on your device can route other people's internet traffic through your connection, making it appear to originate from your IP address rather than theirs. Companies sell this capability, but in this case, the threat actor has taken it a step further by exploiting unsuspecting users with fake apps that masquerade as legitimate software.

    The fake 7-Zip campaign was initially detected by Infoblox, which noticed that a fake version of the 7-Zip archive utility was being hosted on a domain instead of the real site. The researchers mapped over 230 domains back to this actor through analysis of DNS and infrastructure records, revealing a vast portfolio of lookalike proxy service domains.

    The fake apps, including WireVPN, are designed to appear legitimate and install themselves onto devices without users' knowledge or consent. Once installed, these apps enroll the device as a proxy node and sell access to it on the dark web. The actors then use this access to route malicious traffic through the victim's IP address, making it difficult for law enforcement agencies to track down their origins.

    What makes this operation particularly concerning is that many of the fake apps have been downloaded millions of times from app stores, with some having over 34,000 reviews on platforms like Google Play. This suggests a high level of sophistication and effectiveness in their tactics, as well as an extensive network of compromised devices at their disposal.

    To understand how this operation works, researchers pointed out that the fake 7-Zip campaign has evolved into WireVPN, a VPN service with its own website, Windows and macOS apps, and listings on app stores. The Android app alone has been downloaded over a million times. However, when analyzed, the network behavior of WireVPN revealed that it was not acting as a traditional VPN but rather making multiple concurrent connections across globally distributed IP addresses.

    "This approach allows them to offer a profitable 'unlimited pool' and reduce potential downtime," explained Ben Brundage of Synthient, a fraud intelligence firm. "The broader distribution chain of backdoored apps reveals the common structure that providers or publishers use to acquire large swaths of IP space from victims, in which consent is explicitly omitted."

    The researchers also highlighted that many fake apps are designed to appear legitimate and install themselves without users' knowledge or consent. In some cases, these fake apps even claim to offer TikTok and YouTube download capabilities.

    In light of this operation, users should be cautious when installing apps from unfamiliar sources, particularly those claiming to offer VPN services. It is essential to verify the authenticity of an app before downloading it and to regularly update device software and operating systems to ensure they have the latest security patches.

    The incident serves as a stark reminder of the evolving nature of cyber threats and the importance of vigilance in protecting personal devices and data. As technology continues to advance, so too do the tactics employed by malicious actors, making it crucial for users to stay informed about the latest threats and best practices for securing their digital assets.

    Related Information:
  • https://www.ethicalhackingnews.com/articles/Fake-VPN-Apps-Turn-Victims-Devices-into-Residential-Proxies-Exposing-Users-to-Malicious-Traffic-ehn.shtml

  • https://securityaffairs.com/194990/malware/fake-vpn-and-7-zip-apps-turn-victims-into-residential-proxy-nodes.html


  • Published: Thu Jul 9 04:52:44 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us