Logo
FrontierNews.ai

How Fake Software Installers Are Turning Your Devices Into Hidden Proxy Networks

A sophisticated criminal operation dubbed Lurking Lizard has been quietly converting hundreds of thousands of devices into unauthorized proxy networks by disguising malware as popular software installers. The scheme, which dates back to at least August 2022, represents a troubling evolution in how attackers are monetizing compromised devices at scale, turning everyday computers and mobile phones into unwitting participants in a criminal infrastructure that can be rented out for hacking and fraud.

What Is a Residential Proxy Network and Why Should You Care?

A residential proxy network is essentially a collection of compromised home computers and devices whose internet addresses are hijacked to route traffic through them. Unlike data center proxies that are obviously commercial, residential proxies appear to come from real homes and offices, making them valuable to criminals who want to hide their tracks while launching attacks, committing fraud, or scraping data from websites.

The danger is immediate and personal. When your device becomes part of such a network without your knowledge, your home internet address can be weaponized. Attackers use these addresses to launch hacking campaigns, commit identity theft, or conduct other unauthorized activities. Meanwhile, you may find your own legitimate traffic flagged as suspicious or blocked by your service provider, creating a frustrating experience while you unknowingly host criminal infrastructure.

How Does Lurking Lizard Trick Users Into Installing Malware?

The operation's primary tactic involves creating fake installers for widely trusted software. In one notable campaign discovered earlier this year, attackers hosted a trojanized 7-Zip installer on a domain named "7zip.com" (note the subtle difference from the legitimate "7-zip.org"). Users searching for the popular file compression tool would find what appeared to be the real thing, download it, and unknowingly install malware alongside the legitimate software.

Lurking Lizard employs several sophisticated techniques to maintain this deception:

  • Domain Acquisition Strategy: The group acquires expired domains to inherit their accumulated history and legitimacy, a technique known as drop-catching that makes fake sites appear more trustworthy to search engines and users.
  • Impersonation of Legitimate Services: The operation impersonates major proxy providers including IPIDEA, SmartProxy, IP Royal, and 911Proxy, creating lookalike domains and fake review sites to drive traffic to their malicious storefronts.
  • Multi-Platform Distribution: Beyond desktop installers for 7-Zip and WhatsApp, the group has created fake applications for Android, macOS, and Windows, including a fake WireVPN app that accumulated over 1 million downloads on mobile platforms.
  • Traffic Manipulation: Victims are directed to malicious installers through tutorial content, search-driven discovery, and lookalike domains, exploiting the natural way people search for and download software.

How Large Is This Criminal Operation?

The scale of Lurking Lizard's infrastructure is staggering. The operation comprises more than 230 lookalike domains designed to impersonate legitimate proxy services and software providers. Analysis of the group's infrastructure suggests it is China-based, and the operation has been running continuously for years with increasing sophistication.

The interconnected nature of the proxy ecosystem reveals how deep the problem runs. Researchers from Proxyway discovered that 773,087 unique IP addresses linked to SmartProxy were also present in a publicly available dataset from IPIDEA, a proxy network that Google dismantled in January. This overlap suggests that compromised devices are being recycled and resold across multiple criminal proxy services, multiplying the reach of the malware.

What Makes This Threat Different From Other Malware?

Unlike ransomware or data-stealing malware that announce their presence through ransom demands or identity theft, residential proxy malware operates silently. Users may never realize their device has been compromised because the malware doesn't destroy files, encrypt data, or steal passwords. Instead, it quietly funnels third-party traffic through the victim's internet connection, consuming bandwidth and potentially exposing the device owner to legal liability if the proxied traffic is used for illegal activities.

This invisibility is precisely what makes the business model so profitable. Lurking Lizard operates a complete end-to-end criminal enterprise that spans victim acquisition, proxy infrastructure management, marketing through fake review sites, and monetization through fake proxy service storefronts. The operation demonstrates how attackers have evolved beyond simple malware distribution to build sustainable, multi-stage criminal businesses.

Steps to Protect Your Devices From Proxy Malware

  • Verify Software Sources: Always download software directly from official websites or verified app stores. Check the exact spelling of domain names, as attackers often use slightly misspelled versions like "7zip.com" instead of "7-zip.org" to deceive users.
  • Monitor Your Network Activity: Watch for unusual bandwidth consumption or network activity patterns that might indicate your device is being used as a proxy. Check your router's logs and network monitoring tools regularly.
  • Keep Systems Updated: Ensure your operating system, applications, and security software are fully patched and up to date, as outdated software is a common entry point for malware installation.
  • Use Reputable Security Software: Install and maintain legitimate antivirus and anti-malware tools that can detect and remove residential proxy malware before it compromises your device.
  • Be Skeptical of Reviews: When evaluating proxy services or other software, be aware that Lurking Lizard and similar groups create fake review sites to drive traffic to their malicious storefronts. Cross-reference reviews across multiple independent sources.

What Broader Cybersecurity Challenges Does This Reveal?

The Lurking Lizard operation is part of a larger pattern of escalating cyber threats that organizations and individuals face. According to recent cybersecurity research, the global cost of cybercrime is projected to rise from $9.22 trillion in 2024 to $13.82 trillion by 2028, reflecting how profitable and widespread these criminal operations have become.

The residential proxy ecosystem illustrates a fundamental challenge in modern cybersecurity: attackers only need to find one vulnerability or exploit one moment of user inattention to compromise a device. Once compromised, that device becomes part of a larger criminal infrastructure that can persist for years. The parallels between residential proxy malware and other forms of cybercrime suggest that solutions require coordinated action across multiple stakeholders, including software companies, internet service providers, law enforcement, and individual users.

Google's recent disruption of the NetNut residential proxy network, which had compromised at least 2 million smart TVs and streaming boxes, demonstrates that large-scale takedowns are possible. However, as long as the financial incentives remain high and the technical barriers remain low, new criminal operations like Lurking Lizard will continue to emerge, adapting their tactics and expanding their reach across platforms and geographies.