What you need to knowGoogle says it has crippled IPIDEA, a massive residential proxy network that secretly turned millions of everyday devices into tools for cybercrime.IPIDEA hid attacks behind real home internet connections, making malicious traffic harder to detect and block than data center-based proxies.About nine million Android devices were freed, along with the removal of hundreds of compromised apps.
Google just dealt a major blow to one of the internet’s most shadowy infrastructures: a sprawling residential proxy network known as IPIDEA that quietly turned millions of smartphones, PCs, and connected devices into a proxy army bad actors could rent to hide and scale attacks.
Residential proxy networks aren’t really household names outside security circles. For the uninitiated, instead of sending bad traffic through data centers that defenders can block, attackers use real residential IPs — like your home internet connection — to hide where the traffic comes from. That’s what IPIDEA provided, and on a huge scale.
Google’s Threat Intelligence Group (GTIG) says IPIDEA’s infrastructure was embedded in hundreds of apps and SDKs — such as PacketSDK, EarnSDK, HexSDK, and CastarSDK — that developers used for monetization. Once installed, these SDKs could recruit a device into IPIDEA’s proxy pool without clear disclosure to the user, turning that device into an exit node for routing traffic on behalf of others.
You may like
Fueling the world’s most dangerous groups
The result was that everyday users unknowingly became part of a network used by more than 550 tracked threat groups in just one week this month. These included skilled cybercriminals and advanced persistent threat (APT) actors connected to China, Russia, Iran, and North Korea. The proxies supported activities like credential stuffing, espionage, DDoS attacks, and hiding command-and-control operations.
This week, Google took decisive action. The company used legal and technical steps to take down dozens of IPIDEA-related domains that ran these networks and promoted its SDKs and proxy services. Google Play Protect was updated to find and remove affected Android apps. Google also shared information with partners like Lumen’s Black Lotus Labs, Cloudflare, and others to help disrupt the backend systems.
The results are clear. Google says the number of hijacked devices available for abuse has dropped by millions. This includes removing about nine million Android devices linked to the network and hundreds of related apps.
Not every part of the network is gone, though, but the disruption makes it much harder for operators to expand future abuse.
Android Central’s Take
In my view, Google’s action against the IPIDEA network is a big win for everyday users. It not only blocks a major path for hidden cyberattacks but also helps restore trust in devices that were unknowingly used in a global botnet. While the proxy ecosystem will keep changing, seeing a major company hold bad actors responsible gives users real protection now.