ACCORDING to Google, IPIDEA was one of the largest residential proxy networks, enrolling users’ devices via SDKs and proxy software embedded in mobile and desktop apps. The takedown involved legal action against control and proxy domains and sharing intelligence on the SDKs and proxy software used, with Google noting that the disruption reduced the available pool of devices for the proxy operators by millions and caused significant degradation of IPIDEA’s network and operations.
The threat actors behind IPIDEA were said to control over a dozen independent proxy and VPN brands and related SDK domains, while the SDKs marketed monetisation to developers and turned users’ devices into exit nodes, often without their knowledge. IPIDEA allegedly used Castar SDK, Earn SDK, Hex SDK, and Packet SDK with a two-tier infrastructure and about 7,400 tier two nodes, plus VPN apps such as Galleon VPN, Radish VPN, and Aman VPN.
Google identified 3,075 unique Windows PE file hashes and more than 600 Android apps connecting to tier one domains, and worked with partners to take down C&C domains and update Google Play Protect policies to remove IPIDEA SDKs.