A technical analysis by Synthient said the Kimwolf botnet has infected more than 2 million devices worldwide and spreads by tunneling back through residential proxy services into local networks.
KEY FACTS
- Incident A new Android-based botnet called Kimwolf has rapidly expanded since October 2025
- Scale More than 2 million devices were observed relaying traffic and participating in DDoS and ad fraud
- Vector Abuse of residential proxy endpoints and factory insecure Android TV boxes and photo frames
- Mitigation The main proxy pool identified was restricted and certain endpoints were blocked
Kimwolf grows by routing commands through commercial residential proxy services into the internal networks of proxy endpoints. The malware can then scan the local area network and drop payloads on devices that expose administrative interfaces.
Many infected endpoints are inexpensive Android TV boxes and digital picture frames that ship with proxy software or require unofficial app stores. A common factory configuration on those boxes leaves Android Debug Bridge running and listening on the device port used for unauthenticated remote access.
Exploited proxy addresses were heavily concentrated in a China based provider called IPIDEA. The provider was associated with the pool used to rebuild large portions of the botnet in short order and later applied blocks that restricted internal address forwarding and high risk ports.
Kimwolf operators convert compromised devices into proxy nodes and monetize the network through app installs, resale of proxy bandwidth and by selling DDoS services. Detection is difficult because infected devices are distributed across residential networks and often go offline on different schedules.
WHY IT MATTERS
The combination of widely available residential proxy services and insecure consumer devices means a compromised mobile device or rogue TV box can expose an entire home network to remote attack. Consumers should avoid unbranded streaming boxes and isolate guest devices on separate Wi Fi networks to reduce risk.