Google Shuts Down IPIDEA Proxy Networks Powered by Malware

A major residential proxy network used by cybercriminals to conceal their activities has been dismantled. Google’s Threat Intelligence Group (GTIG), working with industry partners, successfully disrupted the IPIDEA proxy service earlier this week. This action involved taking down domains linked to its operations, including those for managing infected devices and routing proxy traffic. The company also shared critical intelligence on the software development kits (SDKs) that distributed the malicious proxying tool.

The network’s operators advertised IPIDEA as a legitimate VPN service promising to encrypt online traffic and hide users’ real IP addresses, claiming a global user base of 6.7 million. In reality, it functioned as a residential proxy network, secretly routing traffic through the compromised devices of home users and small businesses. These infections typically occurred through trojanized applications and software disguised as helpful utilities.

According to a legal filing from Google, threat actors leverage such residential proxies for a wide array of malicious operations. These include account takeovers, creating fake accounts, stealing credentials, and exfiltrating sensitive information. By channeling their traffic through a vast pool of consumer devices worldwide, attackers can effectively mask their origins, creating substantial obstacles for security teams trying to detect and block their actions.

GTIG observed extensive malicious use of IPIDEA’s infrastructure, with more than 550 distinct threat groups utilizing its exit nodes in just one week. These actors were linked to nations including China, Iran, Russia, and North Korea. The monitored activities ranged from accessing victim software-as-a-service platforms and conducting password-spraying attacks to controlling botnets and obfuscating infrastructure. Previous research from Cisco Talos had connected IPIDEA to large-scale brute-force attacks targeting VPN and SSH services. Furthermore, the network provided support for record-breaking distributed denial-of-service (DDoS) botnets like Aisuru and Kimwolf.

IPIDEA enrolled devices using at least 600 trojanized Android apps and over 3,000 malicious Windows binaries. The Android apps embedded proxying SDKs with names like Packet SDK and Hex SDK, while the Windows files often posed as OneDriveSync or Windows Update installers. The service promoted several VPN and proxy apps to Android users that, without their knowledge or consent, covertly transformed their devices into proxy exit nodes.

Google’s investigation revealed that the unidentified operators ran at least 19 separate residential proxy businesses under various brand names, all connected to a centralized infrastructure they controlled. These brands, which pretended to be legitimate services, sold access to devices infected with malware known as BadBox 2.0. Some of the associated brands included 360 Proxy, IP 2 World, Luna Proxy, and PIA S5 Proxy.

In response, Google Play Protect now automatically detects and blocks applications containing IPIDEA-related SDKs on up-to-date, certified Android devices. The network’s technical structure involved a two-tier command-and-control system. The first tier managed configuration and timing, while the second tier consisted of approximately 7,400 servers responsible for assigning proxying tasks and relaying traffic.

Notably, the operators also distributed free VPN apps that provided the advertised functionality. However, these apps also silently added the user’s device to the IPIDEA network, turning it into an unpaid exit node for malicious traffic. While the recent takedown action has significantly impacted IPIDEA’s operations, the threat actors behind it may attempt to rebuild. No arrests or indictments have been announced at this time.

Security experts advise users to exercise caution, particularly with applications that offer payment in exchange for bandwidth or free VPN and proxy services from unverified publishers.

(Source: Bleeping Computer)