Google dismantles secret network hijacking phone internet
▼ Summary
– Google has significantly disrupted the IPIDEA network, a massive residential proxy service that secretly enlisted millions of devices to hide cyberattacks.
– The network operated by embedding its proxy code into hundreds of apps and SDKs, turning devices into traffic exit nodes without clear user consent.
– This infrastructure was used by over 550 tracked threat groups, including state-linked actors, for activities like credential stuffing, espionage, and DDoS attacks.
– Google’s action involved legal and technical takedowns of domains, app removals via Play Protect, and partnerships, freeing approximately nine million Android devices.
– While not completely eradicated, the disruption severely hinders the network’s operations and represents a major protective step for everyday users.
Google has successfully disrupted a massive cybercrime operation that secretly hijacked millions of personal devices to create a global proxy network. The tech giant’s security team dismantled key parts of the IPIDEA service, a sprawling system that turned ordinary smartphones and computers into tools for hackers. This network allowed criminals to mask their attacks by routing malicious internet traffic through unsuspecting users’ home connections, making the activity far harder to trace and block compared to attacks originating from data centers.
The operation relied on software development kits (SDKs) embedded within hundreds of seemingly legitimate mobile apps. Developers often integrated these kits, with names like PacketSDK and HexSDK, for monetization purposes. Once installed, however, the software could quietly enlist a device into IPIDEA’s proxy pool without the owner’s knowledge. The device would then act as an exit node, forwarding internet traffic for paying customers, who were often threat actors.
This covert network provided a critical hiding place for some of the world’s most dangerous hacking groups. In just one week, over 550 tracked threat organizations leveraged these hijacked residential IP addresses. The user base included sophisticated cybercriminals and state-aligned advanced persistent threat (APT) actors linked to nations like China, Russia, Iran, and North Korea. They used the proxies for a range of malicious activities, from credential stuffing and espionage to launching distributed denial-of-service (DDoS) attacks and concealing command-and-control servers.
Google’s Threat Intelligence Group executed a multi-pronged takedown strategy. The company pursued legal and technical actions to seize dozens of domains central to IPIDEA’s operations, which were used to distribute the SDKs and sell proxy access. Simultaneously, Google Play Protect was updated to identify and remove compromised Android applications from devices. The company also collaborated with industry partners, including Lumen’s Black Lotus Labs and Cloudflare, to dismantle supporting backend infrastructure.
The impact of this coordinated effort has been substantial. Google reports freeing approximately nine million Android devices from the proxy network and removing hundreds of tainted apps from circulation. While remnants of the network may persist, this major disruption has severely degraded its scale and will complicate any attempts to rebuild it for future abuse. For the average user, this action helps reclaim device security and processing power that was being exploited without their consent. It represents a significant step in holding the architects of these hidden infrastructures accountable and protecting the broader digital ecosystem.
(Source: Android Central)
