This week Google said it disrupted IPIDEA, a sprawling residential proxy network that covertly enlisted everyday devices worldwide. Security teams traced the infrastructure to hundreds of apps and SDKs that turned phones, PCs and other connected kit into exit nodes without clear user consent. Google combined legal measures, domain seizures and Play Protect scans to remove affected apps and services, and reports a reduction of about nine million Android devices from the pool. The action aims to blunt ongoing abuse used by hundreds of tracked threat groups for credential stuffing, espionage and DDoS campaigns.
Key Takeaways
- IPIDEA operated as a large residential proxy service embedded in dozens of apps and SDKs, enabling attackers to route traffic through real home internet connections.
- Google reports removing roughly nine million Android devices from the network and taking down hundreds of compromised apps via Google Play Protect.
- Security telemetry linked IPIDEA to activity by more than 550 distinct threat groups during a single week of monitoring in January 2026.
- Compromised SDKs identified by Google include PacketSDK, EarnSDK, HexSDK and CastarSDK, which were used for monetization and covert proxying.
- Google used legal and technical steps plus partner sharing (e.g., Lumen/Black Lotus Labs and Cloudflare) to seize domains and disrupt backend systems supporting the service.
- The disruption reduced immediate abuse capacity but operators retain some infrastructure, making future expansion more difficult but not impossible.
Background
Residential proxy services route traffic through consumer internet connections rather than data-center IP ranges, making malicious traffic resemble legitimate home user activity and harder for defenders to block. Commercialized residential proxy infrastructures have existed for years, marketed to customers who need geographically varied exit points or to bad actors who want to evade IP-based defenses. Historically, defenders have relied on a mix of takedowns, filtering and device remediation to reduce the scale of such services.
IPIDEA differed in scope and concealment: Google’s Threat Intelligence Group found the service embedded inside monetization SDKs and third-party libraries that app developers integrated without making the proxy behavior transparent to end users. That distribution model allowed the network to scale quickly across consumer devices, including Android phones, Windows PCs and other internet-connected hardware. The pandemic-era rise in mobile app monetization and third-party SDK usage contributed to the attack surface IPIDEA exploited.
Main Event
Google’s Threat Intelligence Group (GTIG) says it identified dozens of domains linked to IPIDEA and coordinated legal and technical actions to neutralize them. The company pushed Play Protect updates to detect and remove apps containing the offending SDKs and notified partners to help interrupt the service’s command-and-control and billing systems. The takedown targeted both front-end promotion domains and back-end controllers that orchestrated proxy routing.
GTIG’s analysis found hundreds of apps and SDK instances acting as recruitment vectors. Once a device ran an affected app, the SDK could register the device as an exit node that forwarded traffic for paying customers of IPIDEA, effectively turning consumer connections into rented proxies. Operators reportedly advertised these residential IP pools to customers seeking harder-to-block infrastructure for a variety of misuse cases.
Google says the immediate technical result was a sharp decrease in available hijacked endpoints, including the removal of about nine million Android devices associated with the network. The company also named several SDKs — PacketSDK, EarnSDK, HexSDK and CastarSDK — that were commonly observed in infected apps. While Google emphasized disruption, it acknowledged that not every component of the ecosystem was eliminated and that remediation will be ongoing.
Analysis & Implications
Operationally, residential proxies like IPIDEA raise the cost and complexity of detection for defenders. Traffic emerging from consumer-grade IPs blends into normal user patterns, defeating many blocklists and automated defenses tuned to data-center ranges. By embedding recruitment in widely distributed SDKs, operators exploited common supply-chain trust assumptions between app developers and third-party library vendors.
The apparent scale — millions of devices and hundreds of apps — underscores how mobile app ecosystems can amplify threats when monetization libraries are insufficiently vetted. For developers, this incident reinforces the business and security risk of including opaque third-party SDKs: a single library can expose an app’s user base to large-scale abuse and remediation actions that may hurt app reputation and availability.
For defenders and policy makers, the takedown demonstrates the effectiveness of combining legal measures, platform controls and industry information-sharing. Google’s use of Play Protect and coordinated partner disclosures (to entities such as Lumen/Black Lotus Labs and Cloudflare) made immediate disruption possible. However, the persistence of remaining infrastructure indicates that full eradication will likely require continued monitoring, additional legal actions and improved SDK vetting practices across the ecosystem.
Comparison & Data
| Metric | Reported Value |
|---|---|
| Android devices removed | ~9,000,000 |
| Threat groups observed using IPIDEA (one week) | 550+ |
| Compromised SDKs cited | PacketSDK, EarnSDK, HexSDK, CastarSDK |
| Apps and domains taken down | Hundreds of apps; dozens of domains |
The table summarizes Google’s public counts reported during the takedown. The nine million figure refers specifically to Android endpoints GTIG identified and removed from the proxy pool; additional non-Android devices were also reported as affected but were not quantified in Google’s initial summary. The 550+ threat-group count reflects one week of observed abuse and illustrates how quickly operators can monetize access to residential exit nodes.
Reactions & Quotes
Security teams and platform operators emphasized the importance of cross-industry cooperation to disrupt such services. Below are representative statements and their context.
We saw IPIDEA routing abuse for hundreds of threat clusters in a single week; removing domains and apps sharply reduced available capacity.
Google Threat Intelligence Group (official summary)
Google’s GTIG framed the action as both technical disruption and a deterrent, noting that domain seizures and Play Protect removals immediately constrained operator ability to scale. The statement also reiterated Google’s intent to share indicators with partners to aid wider remediation.
Collaborative sharing of indicators of compromise helped us block and sinkhole traffic tied to the service quickly.
Lumen / Black Lotus Labs (security partner)
Partners who received telemetry from Google reported using those indicators to adjust defenses and notify affected networks. Industry responders highlighted that shared telemetry allowed faster network-level blocks and customer notifications.
Unconfirmed
- Attribution of specific state sponsorship for all observed APT activity remains not fully public; some links to state-associated groups have been reported but not universally confirmed.
- The exact total of non-Android devices enrolled in IPIDEA’s proxy pool has not been published and may change as further telemetry arrives.
- Some backend components may still be operational under alternate domains; Google reported disruption but acknowledged not every element was eliminated.
Bottom Line
Google’s takedown of IPIDEA removed a major, commercially run residential proxy network from active operation and curtailed immediate misuse of roughly nine million Android devices. The coordinated use of platform controls, legal actions and partner sharing demonstrates an effective playbook for interrupting large-scale abuse that leverages consumer connections.
Yet the episode also highlights persistent gaps: opaque SDK supply chains, limited visibility into cross-platform recruits, and the ease with which operators can reconstitute infrastructure. Long-term risk reduction will require stronger vetting of third-party libraries, ongoing telemetry sharing among defenders, and sustained legal pressure on operators and facilitators.
Sources
- Android Central (news outlet) — original reporting summarizing Google’s disruption of IPIDEA