www.securityweek.com 1/5/2026, 1:20:21 PM · via preferred

Kimwolf Android Botnet Grows Through Residential Proxy Networks

THE Kimwolf Android botnet, which Synthient says has infected over 2 million devices, mainly leverages residential proxy networks and compromised Android TV boxes. It has been active since at least August 2025 and is capable of enabling DDoS attacks, app installs, and the sale of proxy bandwidth, with around 12 million unique IP addresses observed weekly.

The infections have largely occurred through an exposed Android Debug Bridge service, and pre-infected devices were found in instances where malware was already embedded before sale. The botnet has been linked to proxy networks offered by China-based IPIDEA, and IPIDEA reportedly deployed a patch in late December to block access to numerous exposed ports, including sending 11 vulnerability emails on December 17 to top proxy providers.

In addition to DDoS traffic of around 30Tbps, Kimwolf operators monetise via selling residential proxies for as low as 0.20 cents per Gb; Brian Krebs highlights that many infections target unofficial Android TV boxes with insecure components. According to Synthient, the broader threat landscape around Kimwolf remains precarious.

View full article

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline