{"id":17227,"date":"2026-01-31T16:06:01","date_gmt":"2026-01-31T16:06:01","guid":{"rendered":"https:\/\/readtrends.com\/en\/google-takes-down-ipidea-proxy\/"},"modified":"2026-01-31T16:06:01","modified_gmt":"2026-01-31T16:06:01","slug":"google-takes-down-ipidea-proxy","status":"publish","type":"post","link":"https:\/\/readtrends.com\/en\/google-takes-down-ipidea-proxy\/","title":{"rendered":"Google dismantles IPIDEA proxy network that hijacked millions of devices"},"content":{"rendered":"<article>\n<p>This week Google said it disrupted IPIDEA, a sprawling residential proxy network that covertly enlisted everyday devices worldwide. Security teams traced the infrastructure to hundreds of apps and SDKs that turned phones, PCs and other connected kit into exit nodes without clear user consent. Google combined legal measures, domain seizures and Play Protect scans to remove affected apps and services, and reports a reduction of about nine million Android devices from the pool. The action aims to blunt ongoing abuse used by hundreds of tracked threat groups for credential stuffing, espionage and DDoS campaigns.<\/p>\n<h2>Key Takeaways<\/h2>\n<ul>\n<li>IPIDEA operated as a large residential proxy service embedded in dozens of apps and SDKs, enabling attackers to route traffic through real home internet connections.<\/li>\n<li>Google reports removing roughly nine million Android devices from the network and taking down hundreds of compromised apps via Google Play Protect.<\/li>\n<li>Security telemetry linked IPIDEA to activity by more than 550 distinct threat groups during a single week of monitoring in January 2026.<\/li>\n<li>Compromised SDKs identified by Google include PacketSDK, EarnSDK, HexSDK and CastarSDK, which were used for monetization and covert proxying.<\/li>\n<li>Google used legal and technical steps plus partner sharing (e.g., Lumen\/Black Lotus Labs and Cloudflare) to seize domains and disrupt backend systems supporting the service.<\/li>\n<li>The disruption reduced immediate abuse capacity but operators retain some infrastructure, making future expansion more difficult but not impossible.<\/li>\n<\/ul>\n<h2>Background<\/h2>\n<p>Residential proxy services route traffic through consumer internet connections rather than data-center IP ranges, making malicious traffic resemble legitimate home user activity and harder for defenders to block. Commercialized residential proxy infrastructures have existed for years, marketed to customers who need geographically varied exit points or to bad actors who want to evade IP-based defenses. Historically, defenders have relied on a mix of takedowns, filtering and device remediation to reduce the scale of such services.<\/p>\n<p>IPIDEA differed in scope and concealment: Google\u2019s Threat Intelligence Group found the service embedded inside monetization SDKs and third-party libraries that app developers integrated without making the proxy behavior transparent to end users. That distribution model allowed the network to scale quickly across consumer devices, including Android phones, Windows PCs and other internet-connected hardware. The pandemic-era rise in mobile app monetization and third-party SDK usage contributed to the attack surface IPIDEA exploited.<\/p>\n<h2>Main Event<\/h2>\n<p>Google\u2019s Threat Intelligence Group (GTIG) says it identified dozens of domains linked to IPIDEA and coordinated legal and technical actions to neutralize them. The company pushed Play Protect updates to detect and remove apps containing the offending SDKs and notified partners to help interrupt the service\u2019s command-and-control and billing systems. The takedown targeted both front-end promotion domains and back-end controllers that orchestrated proxy routing.<\/p>\n<p>GTIG\u2019s analysis found hundreds of apps and SDK instances acting as recruitment vectors. Once a device ran an affected app, the SDK could register the device as an exit node that forwarded traffic for paying customers of IPIDEA, effectively turning consumer connections into rented proxies. Operators reportedly advertised these residential IP pools to customers seeking harder-to-block infrastructure for a variety of misuse cases.<\/p>\n<p>Google says the immediate technical result was a sharp decrease in available hijacked endpoints, including the removal of about nine million Android devices associated with the network. The company also named several SDKs \u2014 PacketSDK, EarnSDK, HexSDK and CastarSDK \u2014 that were commonly observed in infected apps. While Google emphasized disruption, it acknowledged that not every component of the ecosystem was eliminated and that remediation will be ongoing.<\/p>\n<h2>Analysis &#038; Implications<\/h2>\n<p>Operationally, residential proxies like IPIDEA raise the cost and complexity of detection for defenders. Traffic emerging from consumer-grade IPs blends into normal user patterns, defeating many blocklists and automated defenses tuned to data-center ranges. By embedding recruitment in widely distributed SDKs, operators exploited common supply-chain trust assumptions between app developers and third-party library vendors.<\/p>\n<p>The apparent scale \u2014 millions of devices and hundreds of apps \u2014 underscores how mobile app ecosystems can amplify threats when monetization libraries are insufficiently vetted. For developers, this incident reinforces the business and security risk of including opaque third-party SDKs: a single library can expose an app\u2019s user base to large-scale abuse and remediation actions that may hurt app reputation and availability.<\/p>\n<p>For defenders and policy makers, the takedown demonstrates the effectiveness of combining legal measures, platform controls and industry information-sharing. Google\u2019s use of Play Protect and coordinated partner disclosures (to entities such as Lumen\/Black Lotus Labs and Cloudflare) made immediate disruption possible. However, the persistence of remaining infrastructure indicates that full eradication will likely require continued monitoring, additional legal actions and improved SDK vetting practices across the ecosystem.<\/p>\n<h2>Comparison &#038; Data<\/h2>\n<figure>\n<table>\n<thead>\n<tr>\n<th>Metric<\/th>\n<th>Reported Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Android devices removed<\/td>\n<td>~9,000,000<\/td>\n<\/tr>\n<tr>\n<td>Threat groups observed using IPIDEA (one week)<\/td>\n<td>550+<\/td>\n<\/tr>\n<tr>\n<td>Compromised SDKs cited<\/td>\n<td>PacketSDK, EarnSDK, HexSDK, CastarSDK<\/td>\n<\/tr>\n<tr>\n<td>Apps and domains taken down<\/td>\n<td>Hundreds of apps; dozens of domains<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>The table summarizes Google&#8217;s public counts reported during the takedown. The nine million figure refers specifically to Android endpoints GTIG identified and removed from the proxy pool; additional non-Android devices were also reported as affected but were not quantified in Google\u2019s initial summary. The 550+ threat-group count reflects one week of observed abuse and illustrates how quickly operators can monetize access to residential exit nodes.<\/p>\n<h2>Reactions &#038; Quotes<\/h2>\n<p>Security teams and platform operators emphasized the importance of cross-industry cooperation to disrupt such services. Below are representative statements and their context.<\/p>\n<blockquote>\n<p>We saw IPIDEA routing abuse for hundreds of threat clusters in a single week; removing domains and apps sharply reduced available capacity.<\/p>\n<p><cite>Google Threat Intelligence Group (official summary)<\/cite><\/p><\/blockquote>\n<p>Google\u2019s GTIG framed the action as both technical disruption and a deterrent, noting that domain seizures and Play Protect removals immediately constrained operator ability to scale. The statement also reiterated Google\u2019s intent to share indicators with partners to aid wider remediation.<\/p>\n<blockquote>\n<p>Collaborative sharing of indicators of compromise helped us block and sinkhole traffic tied to the service quickly.<\/p>\n<p><cite>Lumen \/ Black Lotus Labs (security partner)<\/cite><\/p><\/blockquote>\n<p>Partners who received telemetry from Google reported using those indicators to adjust defenses and notify affected networks. Industry responders highlighted that shared telemetry allowed faster network-level blocks and customer notifications.<\/p>\n<h2>\n<aside>\n<details>\n<summary>Explainer: What is a residential proxy and why it matters<\/summary>\n<p>Residential proxies route internet requests through consumer-grade IP addresses assigned by ISPs to households and small offices. Unlike data-center proxies, residential IPs are less likely to be on blocklists and therefore can evade simple IP-based defenses. Operators monetize access to such IPs by recruiting devices as exit nodes \u2014 sometimes through explicit consent, other times via hidden functionality in apps or SDKs. The presence of residential proxies complicates attribution, increases fraud and enables stealthier command-and-control and credential abuse campaigns. Stronger supply-chain hygiene for SDKs and platform-level scanning are core defenses against this abuse model.<\/p>\n<\/details>\n<\/aside>\n<\/h2>\n<h2>Unconfirmed<\/h2>\n<ul>\n<li>Attribution of specific state sponsorship for all observed APT activity remains not fully public; some links to state-associated groups have been reported but not universally confirmed.<\/li>\n<li>The exact total of non-Android devices enrolled in IPIDEA\u2019s proxy pool has not been published and may change as further telemetry arrives.<\/li>\n<li>Some backend components may still be operational under alternate domains; Google reported disruption but acknowledged not every element was eliminated.<\/li>\n<\/ul>\n<h2>Bottom Line<\/h2>\n<p>Google\u2019s takedown of IPIDEA removed a major, commercially run residential proxy network from active operation and curtailed immediate misuse of roughly nine million Android devices. The coordinated use of platform controls, legal actions and partner sharing demonstrates an effective playbook for interrupting large-scale abuse that leverages consumer connections.<\/p>\n<p>Yet the episode also highlights persistent gaps: opaque SDK supply chains, limited visibility into cross-platform recruits, and the ease with which operators can reconstitute infrastructure. Long-term risk reduction will require stronger vetting of third-party libraries, ongoing telemetry sharing among defenders, and sustained legal pressure on operators and facilitators.<\/p>\n<h2>Sources<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.androidcentral.com\/apps-software\/google-takes-down-an-invisible-network-that-was-secretly-using-your-phones-internet\" target=\"_blank\" rel=\"noopener\">Android Central<\/a> (news outlet) \u2014 original reporting summarizing Google\u2019s disruption of IPIDEA<\/li>\n<\/ul>\n<\/article>\n","protected":false},"excerpt":{"rendered":"<p>This week Google said it disrupted IPIDEA, a sprawling residential proxy network that covertly enlisted everyday devices worldwide. Security teams traced the infrastructure to hundreds of apps and SDKs that turned phones, PCs and other connected kit into exit nodes without clear user consent. Google combined legal measures, domain seizures and Play Protect scans to &#8230; <a title=\"Google dismantles IPIDEA proxy network that hijacked millions of devices\" class=\"read-more\" href=\"https:\/\/readtrends.com\/en\/google-takes-down-ipidea-proxy\/\" aria-label=\"Read more about Google dismantles IPIDEA proxy network that hijacked millions of devices\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":17225,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_title":"Google dismantles IPIDEA proxy network | TechSight","rank_math_description":"Google disrupted IPIDEA, a large residential proxy network that secretly enrolled millions of devices. About 9M Android devices were removed and hundreds of apps pulled.","rank_math_focus_keyword":"IPIDEA,residential proxy,Android,Google,PacketSDK","footnotes":""},"categories":[2],"tags":[],"class_list":["post-17227","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-top-stories"],"_links":{"self":[{"href":"https:\/\/readtrends.com\/en\/wp-json\/wp\/v2\/posts\/17227","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/readtrends.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/readtrends.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/readtrends.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/readtrends.com\/en\/wp-json\/wp\/v2\/comments?post=17227"}],"version-history":[{"count":0,"href":"https:\/\/readtrends.com\/en\/wp-json\/wp\/v2\/posts\/17227\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/readtrends.com\/en\/wp-json\/wp\/v2\/media\/17225"}],"wp:attachment":[{"href":"https:\/\/readtrends.com\/en\/wp-json\/wp\/v2\/media?parent=17227"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/readtrends.com\/en\/wp-json\/wp\/v2\/categories?post=17227"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/readtrends.com\/en\/wp-json\/wp\/v2\/tags?post=17227"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}