Hijacking Your Bandwidth How Proxyware Apps Open You Up to Risk
But is this true? To examine and understand the kind of risks a potential user might be exposed to by joining such programs, we recorded and analyzed network traffic from a large number of exit nodes of several different network bandwidth sharing services (exit nodes are computers who had these network bandwidth sharing services installed).
From January to September 2022, we recorded traffic coming from exit nodes of some of these passive income companies and examined the nature of the traffic being funneled through the exit nodes.
First of all, our observation confirmed that traffic from other app partners are funneled to our exit node and most of it is legitimate. We saw normal traffic, such as browsing news websites, listening to news streams, or even browsing online shopping websites. However, we also identified some questionable connections. These connections demonstrated that some users were performing activities that are suspicious or possibly illegal in some countries.
A summary of suspicious activities is given in the following table. We organized these activities by similarity and noted the proxy networks where we have observed these activities.
Suspicious activity | Traffic from Proxyware Applications |
Access to 3rd-party SMS and SMS PVA services | Honeygain, PacketStream |
Accessing potential click-fraud or silent advertisement sites | Honeygain |
SQL injection probing | Honeygain, PacketStream, IPRoyal Pawns |
Attempts to access /etc/passwd and other security scans | Honeygain, PacketStream |
Crawling government websites | Honeygain |
Crawling of personally identifiable information (including national IDs and SSN) | IPRoyal Pawns |
Bulk registration of social media accounts | IPRoyal Pawns |
In most cases, the application publishers probably would not be legally responsible for suspicious or malicious activities by the third-parties who use their proxy services. However, those who installed the “network bandwidth sharing” applications have no means of controlling or even monitoring what kind of traffic goes via their exit node. Therefore, these network sharing apps are classified as riskware applications that we call proxyware.
Suspicious activities from proxyware
The table above outlines the malicious and suspicious activity we observed, and we go into further detail about these activities in this section.
We observed multiple instances of automated access to third-party SMS PVA providers. What are SMS PVA services? We have written a paper about SMS PVA services and how they are often being (mis)used. In a nutshell, these services are often used for bulk registration of accounts in online services. Why do people often use them in combination with proxies? Those accounts are often bound to a particular geographical location or a region, and the location or a region has to match the phone number that is being used in the registration process. Thus, the users of SMS PVA services want their exit IP address to match the locality of the number, and sometimes use a specific service (in case a service is only accessible in a particular region).
These bulk registered accounts (aided by residential proxies and SMS PVA services) are often then used in a variety of dubious operations: social engineering and scams against individual users, and abuse of sign-up and promotion campaigns of various online businesses that could result in thousands of dollars in monetary loss.
Potential click fraud was another type of activity that we observed coming from these networks. Doing click-fraud or silent ad sites means that the computers with “passive income” software are used as exit nodes to “click” on advertisements in the background. Advertisers have to pay for ineffective clicks (no one really saw the ads) and the network traffic looks almost identical to a normal user clicking on the ads at home.
SQL injection is a common security scan that attempts to exploit user input validation vulnerabilities in order to dump, delete, or modify the content of a database. There are a number of tools that automate this task. However, doing security scanning without proper authorization and doing SQL injection scans without a written permission from the website owner is criminal activity in many countries and may result in prosecution. We have observed a number of attempts to probe for SQL injection vulnerabilities from many “passive income” software. This kind of traffic is risky and users who share their connections could potentially be involved in legal investigations.
Another similar set of activities with similar risks that we observed is scans from tools. These scans attempt to access the /etc/passwd file by trying to exploit various vulnerabilities — when successful, this signifies that a system is vulnerable to arbitrary file exposure and allows an attacker to obtain the password file on a server. Hackers use such software vulnerabilities to retrieve arbitrary files from vulnerable websites. Needless to say, it is illegal to conduct such activities without written permission from the server’s owner.
Crawling government websites might not be illegal at all. There usually are terms of fair use requiring that users not place too many queries at the same time. Many websites use technical means to prevent heavy crawling by using captcha services. We have observed the use of automated tools that use anti-captcha tools to bypass these restrictions while trying to access government websites. We have also seen crawlers that scrape for legal documents from law firms and court websites.
Crawling of personal identifiable information (PII) might not be illegal in all countries, but this activity is questionable because we do not know how such information may be later misused. In our study, we have seen a suspicious crawler downloading information of Brazilian citizens in bulk. Such information included names, dates of birth, gender and CPF (equivalent to national SSN). Obviously, if such activity is investigated, the “passive income” software users would be the first point of contact, as it would be their IP address that got logged on those websites.
People who register a lot of social media accounts can use it for multiple purposes, such as online spam, scam campaigns, and bots that spread misinformation and promote fake news. Such accounts are also often used to give fake reviews of goods and services. In the collected traffic, we have seen the registration of TikTok accounts with unconventional email addresses. Even though it is not illegal per se, users who have installed “passive income” software might be asked to prove who they are or to get through more “validate you are a human” tests in their normal browsing activity. This is because there are too many registered accounts from their home IP and they can be misidentified as being affiliated with those campaigns.
If you think these examples are farfetched, there is a case in 2017 when a Russian citizen was arrested and accused of terrorism. This person was running a Tor exit node and someone used this to post pro-violence messages during anti-government protests. Proxyware is similar to a Tor exit node because both funnel traffic from one user to another. This example specifically shows how much trouble you can get yourself into if you don’t know what the people using your computer as an exit node are doing.
Other variants of proxyware run without user consent
During our research, we also identified a group of unwanted applications that are distributed as free software tools. However, it appears to us that these applications are covertly turning the user machine into a proxy node. These applications appear to install Proxyware functionality on devices, like Globalhop SDK, without clearly notifying users that their devices will be used as passive exit nodes. Some end-user license agreement (EULA) documents may explicitly mention the inclusion of Globalhop SDK or the exit node functionality of the apps, while others do not. But, in our opinion, including notification only in the EULA—a document that few users ever read—doesn’t provide fair notice to users that installing the app will result in unknown third parties using their devices as an exit node.