Google has acted to shut down IPIDEA, a large residential proxy network exploited by cybercriminals worldwide. In this operation, the Google Threat Intelligence Group worked alongside industry partners to limit the network’s operations and malware distribution.
As part of the effort, Google disabled domains connected to IPIDEA’s proxy services, device management systems, and traffic routing infrastructure. The company also shared details about software development kits that spread the proxy tools to infected devices.
IPIDEA presented itself as a VPN, claiming it could encrypt users’ internet traffic and hide their real IP addresses. It claimed millions of users worldwide, but cybercriminals were actually using most of those devices to route traffic, not to provide real privacy.
These residential proxy networks rely on IP addresses from ordinary home or small business devices. Sometimes, people install apps thinking they’re helpful, but the apps secretly install malware. Sometimes, people install apps thinking they’ll be helpful, but the software can secretly take over their device. After that, the device might start sending internet traffic without the owner noticing.
If someone’s device is hijacked, attackers can quietly get into their accounts. They might also look at passwords or other private information without the owner noticing. Since the traffic comes from all over the world, it’s much harder for security teams to trace what’s going on. Because the traffic moves through devices all over the world, it’s much harder for anyone to spot what’s going on. Because attackers route the traffic through machines all over the world, security teams find it much harder to track or stop their activity.
Researchers observed over 550 distinct threat groups using IPIDEA in just one week. Researchers say these groups included actors linked to China, Iran, Russia, and North Korea. They carried out a range of attacks, such as breaking into cloud platforms, running password attacks, managing botnets, and hiding their infrastructure.
IPIDEA’s network also supported large DDoS botnets, including Aisuru and Kimwolf. For example, the network enrolled devices through hundreds of compromised Android apps and thousands of Windows programs. Many apps posed as system updates or cloud tools. In some cases, VPN or proxy apps secretly added devices without user consent.
The operators ran at least 19 proxy and VPN brands that appeared independent. However, all brands were connected to the same central infrastructure. Some services sold access to devices infected with malware while claiming to be legitimate. The identities of the operators remain unknown.
Google Play Protect now blocks apps containing IPIDEA-related SDKs on supported, up-to-date Android devices. This update actively protects devices and stops attackers from hijacking them again.
Researchers also discovered that IPIDEA operated with a two-level command-and-control system. The first tier handled configuration and scheduling. Meanwhile, the second tier, with roughly 7,400 servers, assigned proxy tasks and relayed traffic.
While Google’s actions have significantly disrupted IPIDEA, the company warns operators might try to rebuild the network. No arrests or legal actions have been reported so far.
Users should remain cautious with free VPN or proxy apps, particularly those from unknown publishers or those offering payment for bandwidth. Instead, choosing reputable software sources can reduce the risk of infection and unauthorized device use.
