Google Shuts Down Massive Proxy Network Abusing Millions of Android Phones

Google revealed that it disrupted what it believes to be the biggest residential proxy network. The operation slipped into about 9 million Android devices around the world, including computers, lots of smart home gadgets, without anyone noticing.

What’s really unsettling is that the apps worked just like the provider said they would. But behind the screen, their devices were secretly routing internet traffic for strangers, cybercriminals included.

How the network operated

This network ran on hidden software development kits, or SDKs, tucked away inside over 600 apps. And these weren’t weird, shady downloads from sketchy websites. They looked like any other free app, simple utilities, VPNs, etc., available through various channels.

When you installed one, it did exactly what it promised. Meanwhile, behind the scenes, it signed up your device into a residential proxy network run by a company called IPIDEA. Meaning your phone will suddenly start acting as a middleman for someone else’s internet traffic.

The traffic may include things like scraping websites, trying to log into accounts automatically, or even helping people hide who they really are while they do sketchy stuff online.

Some of that “sketchy stuff” includes the distribution of non-consensual intimate images, a crime whose prevalence is laid bare in our revenge porn statistics, showing how technology enables both large-scale cybercrime and deeply personal violations.

To anyone looking in from the outside, all that activity looks like it’s coming from your home’s IP address. Nothing will look off, no weird pop-ups, and you won’t even notice any performance issues like longer load times. Your device will just be quietly working for strangers while you live your daily life, completely unaware.

Cybercriminals exploited the network heavily

Google’s Threat Intelligence Group tracked alarming activity through this infrastructure. During a single seven-day period earlier this year, more than 550 separate threat groups used IP addresses linked to the network. That included both state-linked actors and cybercrime operations.

Residential proxy networks are valuable to criminals because they make malicious traffic look normal. Instead of coming from a suspicious data center somewhere, attacks appear to originate from someone’s living room. That makes detection much harder for security systems.

IPIDEA has claimed its service was meant for legitimate business uses like web research and data collection. But Google’s research suggests criminals heavily abused the network. Some users may have knowingly installed apps that share bandwidth in exchange for rewards, but many received no clear disclosure about how their devices would be used.

Actions Google took to tear it down

Google took legal action in a U.S. federal court to seize domains used to control the infected devices and route proxy traffic. Google teamed up with Cloudflare and other security companies to take down the network’s command-and-control systems.

They also upgraded Play Protect, Android’s built-in security, to let certified devices automatically spot and remove apps using those dangerous SDKs. Here’s the problem: a lot of these bad apps spread outside the official Play Store.

Play Protect only works on apps from Google Play. If you use third-party app stores, download apps from random websites, or run an uncertified Android device, you’re exposed to much bigger risks.

This same principle applies to institutional security; when a student weaponizes university email accounts for dark web sales, it shows that even trusted internal systems can become attack vectors when individuals exploit their access.

Google’s investigation also discovered an overlap between various proxy brands and SDK names. Services appeared to be unrelated, but in reality, they were actually connected to one infrastructure, running on the same backend. That makes it challenging to know which app exactly is safe and which is making money off your connection.

How to not fall victim

This takedown counts for something, but it’s nowhere near game over. The broader residential proxy market is growing really fast, and you never know which services are just as malicious.

Users should be careful about the apps they’re putting in their devices and the permissions granted. Only a few free apps are ever truly free. Sometimes, you and your internet connection are the product.

Whenever feasible, download apps only from official app stores. Bypassing Google’s Security Checks by installing the app via a direct PK file rather than through an approved Android App Store puts the device at risk for exposure to potential hidden threats. Be also mindful of apps advertising “rewards” for unused bandwidth for the user. That’s exactly how residential proxy networks often recruit devices.

Check app permissions carefully before installing. A simple wallpaper app has no business needing full network control or background execution privileges. Audit apps on your phone from time to time to see which one constantly has internet access or special device permissions.

Your Android security updates should always be up to date. These updates are not for fancy; they actually patch up known vulnerabilities. Proxy operators often exploit these, and when you ignore updates, your device becomes an easy target. Is your phone using an older OS that doesn’t get updates anymore? Consider getting a newer model.

Finally, check your phone apps. See if there’s anyone you don’t remember downloading or you haven’t used for up to six months, and remove them. Having fewer apps on your phone means fewer chances for some random SDK to hide in the background, spying on you or doing something shady.

Noticed something fishy with your device? Perform a full reset, then start from scratch to reinstall apps, this time only from official sources.