Your Phone is My Proxy: How SDKs Turn Mobile Devices into Botnets
There’s nothing new about darknet posts offering residential proxy services, SDKs, or buying mass APK installs. Threat actors have long been turning users’ phones into proxy nodes for botnets.
I was curious about how cybercriminals build the system for residential IPs at scale, and this post on an underground forum caught my attention.
A bit of research helped me understand how a privacy policy can, if not properly understood, turn your phone into part of a botnet (yep, it's like a botnet!).
How SDK-Based Residential Proxies Work
Residential proxies are obtained through mobile SDKs, browser extensions, infected IoT/botnet devices, and purpose-built mobile proxy farms. These proxies route traffic through actual residential IP addresses, IPs assigned that are assigned by ISPs (like Comcast, AT&T, or Airtel) to home users. Since these IPs have high trust scores and mimic real human behavior, they’re far less likely to be blocked than datacenter proxies (which usually appear suspicious or automated).
According to the paper “Your Phone is My Proxy,” these SDKs are present in over 300 million Android app installations.
How Does the SDK-Based Proxy Scheme Work?
These SDKs quietly opt users into proxy networks when they accept app permissions or privacy policies. It works like this: when users install apps containing SDKs from proxy providers and accept permissions (usually internet access + background data usage), the SDK opens a hidden local server or tunnel on the device. This turns the phone into a remote-controlled proxy node that forwards other people's traffic, all legally hidden behind user consent.
SDK Embedded into the App by the Developer
User Installation + Silent Consent
SDK Opens a Local Proxy Server on the Device
Example: Kotlin-Based Proxy SDK Skeleton
class ProxyService : Service() {
private var serverSocket: ServerSocket? = null
private val port = 49500 // Random high port to avoid detection
override fun onCreate() {
super.onCreate()
Thread {
try {
serverSocket = ServerSocket(port)
while (true) {
val clientSocket = serverSocket!!.accept()
handleRequest(clientSocket)
}
} catch (e: IOException) {
e.printStackTrace()
}
}.start()
}
private fun handleRequest(client: Socket) {
Thread {
try {
val input = client.getInputStream()
val output = client.getOutputStream()
// Read incoming HTTP request from proxy network client
val request = BufferedReader(InputStreamReader(input)).readLine()
// Forward request to target server (proxy relay)
val target = URL("http://real-target.com") // Dynamically replaced by SDK
val conn = target.openConnection() as HttpURLConnection
conn.requestMethod = "GET"
conn.connect()
val responseStream = conn.inputStream
responseStream.copyTo(output)
client.close()
} catch (e: Exception) {
e.printStackTrace()
}
}.start()
}
override fun onBind(intent: Intent?): IBinder? = null
}
--------------------------------------------------------------------
Code suggested by ChatGPT
Security Bypass via NAT and ISP Reputation
Because detection systems assume this is a real human, not a bot, allowing the request to pass.
So… Is This a Botnet?
Absolutely. SDK-based residential proxies can and often do act like botnets.
The only difference between a “monetized proxy SDK” and a criminal proxy botnet is the thin veneer of “user consent,” which is typically:
Technically and operationally, they are indistinguishable from botnets.
Darknet Post Confirms the Model
In underground forums, actors are openly recruiting APK install partners to spread these SDKs. Example:
“I run a proxy and I want to add more IP proxies to my network. I have an SDK I can add into any app. If you can help get me apk installs in mass please let me know asap.”
This usually means:
Further Reading
Thanks for reading! Please feel free to suggest any change!
Cyber Security Analyst | ISO 27001 LA | GRC | SC-200 | CTI | BTJA | SC-300 in progress 🔒
1wHelpful insight, Kumar B.