Google's Threat Intelligence Group, in collaboration with industry partners, has disrupted the infrastructure of IPIDEA, one of the world's largest residential proxy networks fueled by malware. The operation involved taking down domains linked to IPIDEA's services and proxy routing while sharing intelligence on the malicious software development kits (SDKs) used to infect devices. IPIDEA marketed itself as a legitimate VPN service but secretly turned compromised devices into proxy exit nodes without user consent.
The network was powered by over 600 trojanized Android apps and more than 3,000 malicious Windows binaries disguised as tools like OneDriveSync. These apps embedded proxy SDKs that enrolled devices into a global pool used by at least 550 distinct threat groups, including state-sponsored actors from China, Iran, Russia, and North Korea. The proxy network facilitated a range of malicious activities, including credential theft, brute-force attacks, and massive DDoS campaigns through botnets like Aisuru and Kimwolf.
Despite operating under multiple brand names, all services were centrally controlled by the unidentified IPIDEA operators. Google Play Protect now automatically blocks applications containing the identified SDKs on updated Android devices. While this disruption significantly impacts the network, the operators may attempt to rebuild, and no arrests have been announced. Users are advised to be cautious of free VPN or proxy apps, especially those offering payment for bandwidth, as they may conceal similar malware.
Read more...