Google is taking down the invisible network that was secretly using your phone’s internet
What you need to know
- Google says it has disabled IPIDEA, a massive residential proxy network that has secretly turned millions of everyday devices into cybercriminal tools.
- IPIDEA hides attacks behind the real home Internet connection, making malicious traffic harder to detect and block than data center-based proxies.
- About nine million Android devices have been freed, along with the removal of hundreds of vulnerable apps.
Google recently faced a major problem in one of the internet’s most shadowy infrastructures: a pervasive proxy network known as IPIDEA that has quietly turned millions of smartphones, PCs, and connected devices into an army of proxies that bad actors can hire to hide and orchestrate attacks.
Residential proxy networks are not household names outside of security circles. For the uninitiated, instead of sending malicious traffic through data centers that defenders can block, attackers use real residential IPs – like your home Internet connection – to hide where the traffic is coming from. That is what IPIDEA has provided, and on a large scale.
Google’s Threat Intelligence Group (GTIG) says the IPIDEA infrastructure is embedded in hundreds of applications and SDKs – such as PacketSDK, EarnSDK, HexSDK, and CastarSDK – that developers use for monetization. Once installed, these SDKs can recruit a device into an IPIDEA proxy environment without explicit disclosure to the user, turning that device into an exit point to forward traffic on behalf of others.
To promote the most dangerous groups in the world
The result was that everyday users unknowingly became part of a network used by more than 550 groups that were tracked in just one week this month. These include sophisticated cybercriminals and advanced persistent threat (APT) actors linked to China, Russia, Iran, and North Korea. Lawyers support activities such as data mining, espionage, DDoS attacks, and masking and control activities.
This week, Google took a decisive step. The company used legal and technical measures to take down a number of IPIDEA-related domains that use these networks and improved its SDKs and proxy services. Google Play Protect has been updated to detect and remove affected Android apps. Google also shares information with partners like Lumen’s Black Lotus Labs, Cloudflare, and others to help disrupt backend systems.
The results are clear. Google says the number of stolen devices available for abuse has dropped by the millions. This includes removing about nine million Android devices connected to the network and hundreds of related applications.
Not all parts of the network are gone, however, but the disruption makes it more difficult for the operator to increase future abuse.
Android Central Take
In my opinion, Google’s action against the IPIDEA network is a big win for everyday users. It not only prevents a major form of cyberattacks but also helps restore trust in devices that have been unwittingly deployed in a global botnet. While the proxy ecosystem will continue to change, seeing a large company hold bad actors accountable gives users real protection now.
