GOOGLE Threat Intelligence Group (GTIG) and its partners have dismantled IPIDEA, described as one of the largest residential proxy networks, targeting a complex web of SDKs and trojanised apps that covertly turned millions of devices into exit nodes for bad actors. The disruption involved a three-pronged approach: seizing control of domains through legal action, sharing intelligence with law enforcement, and using Google Play Protect to scrub infected apps from Android devices.
The investigation found that IPIDEA relied on developer SDKs that secretly enrolled devices into the network, with servers hosted in the US enabling proxy traffic to be routed without the owners’ knowledge. It identified VPN-type apps such as Galleon VPN and Radish VPN that appeared to provide legitimate functionality but joined devices to the IPIDEA network as exit nodes.
In the mobile ecosystem, more than 600 applications across multiple download sources contained code connecting to IPIDEA’s command-and-control domains, while around 3,075 Windows PE file hashes included trojanised binaries masquerading as OneDriveSync and Windows Update.