- Google disrupts IPIDEA, a massive proxy network that exploits millions of devices
- Over 550 threat groups used IPIDEA for espionage, credential theft and botnet operations
- Lawsuits, domain seizures and Play Protect updates reduced the proxy device pool by millions
Google has stated that it hit one of the largest residential proxy networks today, disrupting hundreds of cybercriminal groups and possibly thousands of hacking operations.
In its blog, Google’s Threat Intelligence Group (GTIG) said it disrupted IPIDEA, a well-known residential proxy service that counts millions of Android, Windows and other devices.
GTIG says IPIDEA relied on software development kits (SDKs) that were advertised to software developers as a way to monetize their apps. But apps that included these SDKs actually assimilated the devices into the proxy network without users’ knowledge or consent. Typically, residential proxy networks include routers, modems, DVRs, smart home devices, and various sensors. In some cases, cheap Android TVs and set-top boxes came with malware pre-installed, also suggesting a sophisticated supply chain compromise.
To disrupt hundreds of threat actors
To disrupt IPIDEA, Google took legal action to seize domains used for command-and-control and marketing, shared technical intelligence with industry partners and law enforcement, and updated Google Play Protect to automatically remove apps containing IPIDEA SDKs.
Google says these actions reduced the available proxy device pool by millions and degraded the network’s ability to function, although it warns that the residential proxy market remains a fast-growing “gray market” that continues to enable large-scale cybercrime.
“We believe our actions have caused significant degradation to IPIDEA’s proxy network and business operations, reducing the available pool of devices for the proxy operators by millions,” Google said.
“Because proxy operators share pools of devices using reseller agreements, we believe these actions may have downstream effects across affiliated devices.”
Google linked IPIDEA to several well-known proxy and VPN brands, showing that they all shared the same backend infrastructure. Some of the names it mentioned include ABC Proxy, Galleon VPN, PIA S5 Proxy, Radish VPN and Tab Proxy.
The researchers also said that in a single week, more than 550 known and tracked threat actors used IPIDEA, including groups with ties to China, Russia, Iran and North Korea. The proxies were allegedly used for espionage, credential attacks, botnet control, and access to compromised cloud and enterprise environments.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
