In a technical analysis by Google Threat Intelligence Group, the report said it disrupted IPIDEA this week, taking down domains used to manage infected devices and route proxy traffic and affecting services linked to 6.7 million users.
KEY FACTS
- Incident Disruption of IPIDEA residential proxy network
- Users affected Operators promoted the network to 6.7 million users
- Scale Two-tier C2 and roughly 7,400 second tier servers
- Infection methods At least 600 trojanized Android apps and over 3,000 trojanized Windows binaries
Residential proxy networks route traffic through consumer devices after compromising them, often via trojanized apps and software that pose as utilities. IPIDEA promoted VPN and proxy apps that secretly turned devices into proxy exit nodes without user consent.
More than 550 distinct threat groups used IPIDEA exit nodes in a single week, including actors from China, Iran, Russia and North Korea. Activities tied to the network included access to victim SaaS platforms, password spraying, botnet control and infrastructure obfuscation.
The network enrolled devices using at least 600 trojanized Android apps that embedded SDKs named Packet SDK, Castar SDK, Hex SDK and Earn SDK, and more than 3,000 trojanized Windows binaries posing as OneDriveSync or Windows Update. Operators ran at least 19 residential proxy businesses that sold access to compromised devices.
Play Protect now automatically detects and blocks on up-to-date certified Android devices applications that include IPIDEA-related SDKs. There are no arrests or indictments announced and the actor may attempt to rebuild its infrastructure.
WHY IT MATTERS
Residential proxy networks let attackers mask the origin of malicious traffic and complicate defensive measures, enabling account takeovers and data theft. Users should be cautious about free VPNs and apps that offer payment for bandwidth from nonreputable publishers.