Comment by r1ch

The end user typically has their device compromised by using free apps where the developers were bribed $$$ to add the proxy "SDK". The botnet operator then rents out the bandwidth at exorbitant rates to anyone who will pay for it.

Chrome extensions are also a huge source of this, they look for extensions with a large install base and then make an offer to buy it to turn all the users into proxies.