Google and its allies were able to take down the IPIDEA proxy network, which was one of the biggest proxy networks used for cyberattacks. The Google Threat Intelligence Group (GTIG) was in charge of this operation. Bad actors were able to hide where their illicit activities were coming from by discreetly routing traffic through hacked Android devices and Windows PCs on the network.
Google has reported the disruption of the IPIDEA proxy network, one of the world’s largest residential proxy networks. Residential proxy networks work by routing Internet traffic through hijacked consumer devices, concealing the true origin of online activities. These unethical services use legal residential IP addresses rather than commercial servers.
This disruption, coordinated by the Google Threat Intelligence Group (GTIG) alongside various teams, involved three primary actions: taking legal measures to shut down domains controlling devices and proxy traffic; disseminating technical intelligence about IPIDEA SDKs and proxy software to platform providers, law enforcement, and research organisations to enhance ecosystem awareness and enforcement; and reinforcing protections for Android users through Google Play Protect. These activities are thought to considerably impede IPIDEA’s operations, lowering the number of devices available for proxy use by millions and perhaps damaging related organisations.
Also Read: iPhone Air price in India dropped significantly: check out the deal
According to the blog post, residential proxy networks allow traffic to be routed through ISP-owned IP addresses, which attackers use to hide nefarious activity. These networks require control over millions of residential IP addresses, which are frequently obtained by running proxy software on consumer devices—sometimes via trojanised apps. Google Threat Intelligence Group (GTIG) research emphasises the misuse of these proxies, particularly by bad actors linked with botnets such as BadBox2.0 and IPIDEA, which has an impact on multiple organisations around the world.
The risk extends to users whose devices serve as exit nodes, exposing them to hacking and vulnerabilities when malicious traffic is routed via them. GTIG’s findings demonstrate intricate linkages amongst proxy networks, confounding quantification, attribution, and misuse prevention.
An analysis of residential proxy networks revealed that many well-known proxy and VPN brands, such as 360 Proxy, 922 Proxy, ABC Proxy, Cherry Proxy, Door VPN, Galleon VPN, IP 2 World, Ipidea, Luna Proxy, PIA S5 Proxy, PY Proxy, Radish VPN, and Tab Proxy, are not independently operated but are controlled by the same entities behind IPIDEA. Additionally, these operators administer domains connected with Software Development Kits (SDKs) designed specifically for residential proxies. These SDKs are intended to be integrated into existing programmes rather than used as separate applications. These SDKs are marketed as developer monetisation solutions and are compatible with Android, Windows, iOS, and WebOS. Developers who incorporate these SDKs into their apps are compensated by IPIDEA on a per-download basis.
When you embed an SDK in an application, it turns the device into an exit node for a proxy network while still providing the app’s primary functionality. These SDKs are critical for home proxy networks since they provide the devices required for functioning. However, many proxy providers’ promises of ethical sourcing of IP addresses are frequently false; investigations revealed that some dangerous applications did not notify users of their presence in the IPIDEA proxy network. Additionally, researchers discovered unauthorised Android smartphones with disguised residential proxy payloads. The IPIDEA network is linked to SDKs such as Castar, Earn, Hex, and Packet.
Also Read: Samsung Galaxy F70e 5G India launch date announced; key specs revealed
Action Taken
Google has taken substantial steps to remove IPIDEA’s infrastructure, including bringing legal action against C2 domains and marketing platforms utilised by bad actors, thereby protecting consumer devices. They used Android platform regulations to prevent applications from using IPIDEA SDKs and disrupted IPIDEA’s activities through agreements with companies such as Spur, Lumen’s Black Lotus Labs, and Cloudflare. The company emphasises the growing risks in the home proxy market, advising users to be wary of applications that promise to share spare bandwidth, as this frequently leads to security issues. Recommendations include using reliable app shops and purchasing devices from recognised manufacturers. Google advocates for improved proxy provider responsibility and industry collaboration in combating illicit networks, as well as disclosing indicators of compromise to aid detection efforts.
