Ddos 
Advertising from PacketSDK
In a major strike against the hidden infrastructure of the cybercrime ecosystem, Google Threat Intelligence Group (GTIG) and its partners have disrupted IPIDEA, a sprawling network described as “one of the largest residential proxy networks in the world”. The operation targeted a complex web of software development kits (SDKs) and trojanized applications that surreptitiously turned millions of user devices into unwitting exit nodes for bad actors.
The disruption involved a coordinated three-pronged approach: legal action to seize control domains, intelligence sharing with law enforcement, and aggressive enforcement via Google Play Protect to scrub infected apps from Android devices.
Residential proxy networks are highly prized by cybercriminals because they allow malicious traffic to appear as if it is coming from legitimate home IP addresses. IPIDEA achieved this scale not by asking for permission, but by hiding its code inside other applications.
According to the report, the network relied on SDKs offered to developers that would “surreptitiously enroll user devices into the IPIDEA network”. Once installed, these devices were managed through a global infrastructure, including servers hosted in the US, allowing the operators to “proxy traffic through them” without the owner’s knowledge.
The investigation revealed that the operators went to great lengths to distribute their malicious code. One primary vector was the distribution of “free” Virtual Private Network (VPN) services.
Google identified specific apps, including Galleon VPN (galleonvpn.com) and Radish VPN (radishvpn.com), which functioned as VPNs but had a hidden cost. “While the applications do seem to provide VPN functionality, they also join the device to the IPIDEA proxy network as an exit node… without clear disclosures to the end user”.
Beyond mobile apps, the campaign extended to the Windows ecosystem. Researchers identified 3,075 unique Windows PE file hashes linked to the network. Many of these were trojanized binaries “masquerading as OneDriveSync and Windows Update,” tricking users into installing the proxy software under the guise of essential system maintenance.
The scale of the infection within the mobile ecosystem was significant. The team identified “over 600 applications across multiple download sources” that contained code connecting to IPIDEA’s Tier One command-and-control (C2) domains.
These apps were often benign in their surface-level function—posing as utilities, games, or content viewers—but were monetized using SDKs that secretly enabled the proxy behavior.
To stop the bleeding, Google has deployed Google Play Protect to automatically warn users and remove known malicious versions of these apps. Furthermore, the legal action against the domains aims to sever the control lines that allow the network to function.
Related Posts:
- The $20B Handover: Apple Card Dumps Goldman Sachs for JPMorgan Chase
- Google Play removed 700,000 illegal applications in 2017
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
