- Google disrupts IPIDEA, a massive residential proxy network exploiting millions of devices
- Over 550 threat groups used IPIDEA for espionage, credential theft, and botnet operations
- Legal action, domain seizures, and Play Protect updates reduced proxy device pool by millions
Google has declared it struck one of the largest residential proxy networks around today, disrupting hundreds of cybercriminal groups and possibly thousands of hacking operations.
On its blog, Google’s Threat Intelligence Group (GTIG) said it disrupted IPIDEA, a well-known residential proxy service that counts millions of Android, Windows, and other devices.
GTIG says IPIDEA relied on software development kits (SDK), which were advertised to software developers as a way to monetize their apps. However, apps that included these SDKs actually assimilated the devices into the proxy network, without the users’ knowledge, or consent. Usually, residential proxy networks comprise routers, modems, DVRs, smart home devices, and different sensors. In some cases, cheap Android TVs and set-top boxes came with the malware preinstalled, also suggesting sophisticated supply chain compromise.
Disrupting hundreds of threat actors
To disrupt IPIDEA, Google took legal action to seize domains used for command-and-control and marketing, shared technical intelligence with industry partners and law enforcement, and updated Google Play Protect to automatically remove apps containing IPIDEA SDKs.
Google says these actions reduced the available proxy device pool by millions and degraded the network’s ability to operate, though it warns the residential proxy market remains a fast-growing “gray market” that continues to enable large-scale cybercrime.
“We believe our actions have caused significant degradation of IPIDEA’s proxy network and business operations, reducing the available pool of devices for the proxy operators by millions,” Google said.
“Because proxy operators share pools of devices using reseller agreements, we believe these actions may have downstream impact across affiliated entities.”
Google linked IPIDEA to multiple well-known proxy and VPN brands, showing they all shared the same backend infrastructure. Some of the names it mentioned includes ABC Proxy, Galleon VPN, PIA S5 Proxy, Radish VPN, and Tab Proxy.
The researchers also said that in a single week, more than 550 known and tracked threat actor groups used IPIDEA, including groups with links to China, Russia, Iran, and North Korea. The proxies were allegedly used for espionage, credential attacks, botnet control, and access to compromised cloud and enterprise environments.
➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.