A vast home proxy network called IPIDEA, which covertly transformed millions of cell phones, PCs, and other connected devices into a proxy army that malicious actors could rent to conceal and scale assaults, was recently severely damaged by Google.
The network operated as an “Airbnb” for internet connections, enabling hackers to rent out your IP address to conceal their own actions by inserting hidden code into free programs and games.
Outside of security circles, residential proxy networks aren’t particularly well-known. For the uninitiated, attackers utilise real residential IPs, such as your home internet connection, to conceal the source of malicious activity rather than passing it through data centres that defenders may block. That’s what IPIDEA offered, and on a massive scale.
According to Google’s Threat Intelligence Group (GTIG), hundreds of apps and SDKs that developers utilised for monetisation, including PacketSDK, EarnSDK, HexSDK, and CastarSDK, used IPIDEA’s infrastructure. Once installed, these SDKs have the ability to enlist a device into IPIDEA’s proxy pool without disclosing this information to the user. This allows the device to become an exit node for traffic routing on behalf of other users.
As a result, in only one week this month, regular users unintentionally joined a network that was utilised by over 550 tracked threat organisations. These included highly experienced cybercriminals and advanced persistent threat (APT) actors associated with North Korea, China, Russia, and Iran. Credential stuffing, espionage, DDoS assaults, and concealing command-and-control operations were all made possible by the proxies.
Google acted decisively this week. Numerous IPIDEA-related domains that operated these networks and advertised its SDKs and proxy services were taken down by the business using legal and technical measures. To identify and eliminate impacted Android apps, Google Play Protect was updated. In order to interfere with the backend systems, Google also provided information with partners including Cloudflare and Lumen’s Black Lotus Labs.
The outcomes are evident. According to Google, there are now millions fewer hacked devices available for misuse. This entails eliminating hundreds of related apps and over nine million Android smartphones connected to the network.
Although not all of the network is gone, the disruption makes it much more difficult for operators to extend misuse in the future.
Considering Google’s action against the IPIDEA network to be a significant victory for regular consumers, the moves help rebuild trust in devices that were unintentionally utilised in a global botnet in addition to blocking a significant route for covert cyberattacks. Although the proxy ecosystem will continue to evolve, users are finally truly protected when a major corporation holds rogue actors accountable.
To stay safe, check Play Protect to do a manual scan of your device, open the Google Play Store, press your profile symbol, and choose Play Protect.
Also examine permission rights by removing any apps you don’t use or don’t recognise, and be cautious of free apps that ask for too many permissions.
By tracking performance, the user’s device may be being used as a proxy if you notice abrupt increases in data usage or battery loss.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
