Google announced Wednesday that it has joined forces with other partners to disrupt IPIDEA. IPIDEA is one of the world’s largest residential proxy networks, the company says.
To this end, the company said it has taken legal action to suspend dozens of domains used to control devices and proxy traffic passing through them. At the time of writing, IPIDEA’s website (‘www.ipidea.io’) is no longer accessible. The company advertised itself as “the world’s leading provider of IP proxies” with more than 6.1 million IP addresses updated every day and 69,000 new IP addresses every day.
“Residential proxy networks have become a pervasive tool for everything from high-end espionage to large-scale criminal schemes,” John Hultquist, principal analyst at Google Threat Intelligence Group (GTIG), said in a statement shared with The Hacker News.
“By routing traffic through an individual’s home Internet connection, attackers can sneak into a corporate environment while remaining hidden from view. By taking down the infrastructure used to run the IPIDEA network, we were effectively able to pull the rug out from under a global marketplace that was selling access to millions of hijacked consumer devices.”
According to Google, as of this month, IPIDEA’s proxy infrastructure has been leveraged by more than 550 separate threat groups around the world, including China, North Korea, Iran, and Russia, with a variety of motivations, including cybercrime, espionage, advanced persistent threats (APTs), and information operations. These activities ranged from gaining access to victims’ SaaS environments, on-premises infrastructure, and password spraying attacks.
In an analysis published earlier this month, Synthient revealed that the attackers behind the AISURU/Kimwolf botnet exploited security flaws in residential proxy services such as IPIDEA to spread malware by relaying malicious commands to vulnerable Internet of Things (IoT) devices behind firewalls in local networks.
The malware, which turns consumer devices into proxy endpoints, is secretly bundled within pre-installed apps and games on off-brand Android TV streaming boxes. This allows infected devices to relay malicious traffic and participate in distributed denial of service (DDoS) attacks.
IPIDEA also allegedly released a standalone app marketing directly to people looking to “make some easy money” by blatantly advertising that they would pay consumers to install the app and use their “unused bandwidth.”
Residential proxy networks provide the ability to route traffic through IP addresses owned by Internet service providers (ISPs), but they also provide a perfect hiding place for malicious attackers looking to hide the origin of their malicious activity.
“To do this, the residential proxy network operator must run code that registers the consumer device as an exit node with the network,” GTIG explained. “These devices either come preloaded with proxy software or join a proxy network when a user unknowingly downloads a Trojanized application with embedded proxy code. Some users may knowingly install this software on their devices, lured by the promise of ‘monetizing’ free bandwidth.”
The tech giant’s threat intelligence team said IPIDEA is notorious for its role in facilitating a number of botnets, including the China-based BADBOX 2.0. In July 2025, Google filed suit against 25 anonymous individuals and entities in China for allegedly operating a botnet and related residential proxy infrastructure.
We also noted that IPIDEA’s proxy applications not only route traffic through exit node devices, but also send traffic to devices with the intent to compromise them, posing significant risks to consumers whose devices may intentionally or unknowingly participate in proxy networks.
The proxy network that powers IPIDEA is not a monolithic entity. Rather, it is a collection of several well-known residential proxy brands under its management.
Ipidea (Ipidea)[.]io) 360 proxy (360proxy)[.]com) 922 proxy (922proxy)[.]com) ABC Proxy (abcproxy)[.]com) Cherry Proxy (cherryproxy)[.]com) door VPN (doorvpn)[.]com) Galleon VPN (galleonvpn)[.]com) IP 2 World (ip2world)[.]com) Lunaproxy (lunaproxy)[.]com) PIA S5 Proxy (Peer Proxy)[.]com) PY Proxy (pyproxy)[.]com) Radish VPN (radishvpn)[.]com) Tab Proxy (tabproxy)[.]com)
“The same entities that control these brands also control several domains related to software development kits (SDKs) for residential proxies,” Google said. “These SDKs are not intended to be installed or run as standalone applications, but rather to be embedded into existing applications.”
These SDKs are sold to third-party developers as a way to monetize their Android, Windows, iOS, and WebOS applications. Developers who integrate the SDK into their apps will be paid by IPIDEA for each download. This turns the devices that install these apps into nodes of a proxy network, providing them with the advertised functionality at the same time. The names of the SDKs controlled by the IPIDEA actor are listed below.
Castar SDK (Castarsdk)[.]com) Earn SDK (earnsdk)[.]io) Hex SDK (hexsdk)[.]com) Packets SDK (packetsdk)[.]com)
The SDK has significant overlap in command and control (C2) infrastructure and code structure. They follow a two-tier C2 system, where an infected device connects to a first-tier server to obtain a set of second-tier nodes to connect to. The application then starts communicating with the Tier 2 server and periodically polls the payload to the proxy through the device. According to Google’s analysis, there are approximately 7,400 Tier 2 servers.
In addition to proxy services, IPIDEA attackers have been found to control domains that offer free virtual private network (VPN) tools. This tool is designed to participate in proxy networks as an exit node that incorporates Hex or Packet SDKs. The names of the VPN services are:
Galleon VPN (galleonvpn)[.]com) Radish VPN (radishvpn)[.]com Aman VPN (obsolete)
Additionally, GTIG identified 3,075 unique Windows binaries that made requests to at least one Tier 1 domain, some of which were masquerading as OneDriveSync or Windows Update. These Trojanized Windows applications are not directly distributed by IPIDEA attackers. As many as 600 Android applications (across utilities, games, and content) from multiple download sources were flagged as containing code that connects to Tier One C2 domains using monetization SDKs that enable proxy behavior.
In a statement shared with The Wall Street Journal, a spokesperson for the Chinese company said the company is engaged in a “relatively aggressive market expansion strategy,” has “conducted promotional activities in inappropriate locations (such as hacker forums),” and is “unequivocally opposed to any form of illegal or abusive behavior.”
To combat this threat, Google said it has updated Google Play Protect to automatically warn users about apps containing IPIDEA code. For certified Android devices, the system automatically removes these malicious applications and blocks future attempts to install them.
“Proxy providers may claim notice and claim ignorance or close these security gaps, but enforcement and verification are difficult given their intentionally vague ownership structures, resale agreements, and application diversity,” Google said.
Source link
