Google disrupted IPIDEA, a major residential proxy network that enrolled users’ devices via SDKs embedded in mobile and desktop apps.
Google and partners disrupted the IPIDEA residential proxy network, used by many threat actors, via legal domain takedowns, intelligence sharing on malicious SDKs, and ecosystem-wide enforcement. Google Play Protect now removes and blocks apps with IPIDEA SDKs. The actions significantly degraded the network, cutting millions of devices and potentially impacting affiliated proxy operators through shared device pools.
“This week Google and partners took action to disrupt what we believe is one of the largest residential proxy networks in the world, the IPIDEA proxy network. IPIDEA’s proxy infrastructure is a little-known component of the digital ecosystem leveraged by a wide array of bad actors.” reads the announcement.
Residential proxy networks route traffic through real ISP-assigned residential IPs, letting attackers hide malicious activity and evade detection. They require millions of consumer devices enrolled as exit nodes, often via trojanized apps or deceptive “bandwidth monetization” offers. Google’s GTIG found these networks, including IPIDEA, are heavily abused by cybercrime, espionage, and botnets such as BadBox2.0, Aisuru, and Kimwolf. In one week of January 2026, over 550 tracked threat groups used IPIDEA exit nodes. These proxies also endanger users by exposing their devices and home networks to unauthorized traffic, compromise, and reputational risk.
“We believe our actions have caused significant degradation of IPIDEA’s proxy network and business operations, reducing the available pool of devices for the proxy operators by millions.” continues the report. “Because proxy operators share pools of devices using reseller agreements, we believe these actions may have downstream impact across affiliated entities.”
The researchers discovered that many “independent” residential proxy and VPN brands are actually controlled by the same actors behind IPIDEA, including services like 360 Proxy, Luna Proxy, PIA S5, and Radish VPN. The group also operates multiple proxy SDKs (Castar, Earn, Hex, Packet) embedded into apps to monetize downloads and covertly turn user devices into proxy exit nodes. These SDKs, offered across Android, Windows, iOS, and WebOS, are key to scaling the network. Claims of ethical IP sourcing are often misleading, as many apps fail to disclose proxy enrollment, exposing users to abuse and risk.
Multiple IPIDEA-linked SDKs (EarnSDK, PacketSDK, CastarSDK, HexSDK) share code and a common two-tier command-and-control infrastructure. In Tier One, infected devices contact domains to send diagnostics and receive Tier Two node details. In Tier Two, devices poll IP-based servers for proxy tasks and then relay traffic to target destinations. Despite different brands and domains, all SDKs use a shared global pool of about 7,400 Tier Two servers, indicating a single backend. Devices are enrolled via trojanized VPNs, Windows binaries, and hundreds of Android apps, often without user disclosure.
Google dismantled much of IPIDEA’s infrastructure by taking down C2 and marketing domains, enforcing Play Protect to remove apps with IPIDEA SDKs, and blocking future installs.
The IT giant coordinated with partners like Cloudflare, Spur, and Black Lotus Labs to disrupt operations and share intelligence. The company warns residential proxies are a growing gray market enabling cybercrime and espionage, urges consumers to avoid “bandwidth sharing” apps and uncertified devices, and calls for stronger transparency, accountability, and industry-wide collaboration to curb abuse.
“We encourage mobile platforms, ISPs, and other tech platforms to continue sharing intelligence and implementing best practices to identify illicit proxy networks and limit their harms.” concludes the report that also includes Indicators of Compromise (IOCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, IPIDEA)
