A shocking revelation has rocked the tech world, as Google takes on one of the largest residential proxy networks, IPIDEA. This network, boasting over 6.1 million daily updated IP addresses, has been exposed as a tool for cybercriminals and spies alike.
John Hultquist, chief analyst at Google Threat Intelligence Group (GTIG), warns that residential proxy networks are a serious threat, allowing attackers to hide in plain sight and infiltrate corporate environments.
"By taking down IPIDEA's infrastructure, we've disrupted a global marketplace selling access to millions of hijacked consumer devices," Hultquist said.
But here's where it gets controversial: IPIDEA's proxy infrastructure has been used by over 550 threat groups worldwide, including those with ties to China, North Korea, Iran, and Russia. These groups have been involved in a range of malicious activities, from accessing victim SaaS environments to launching password spray attacks.
And this is the part most people miss: the threat actors behind the AISURU/Kimwolf botnet have been abusing security flaws in residential proxy services like IPIDEA to infect IoT devices and propagate malware.
IPIDEA's malware is stealthily bundled within apps and games pre-installed on Android TV streaming boxes, forcing infected devices to participate in DDoS attacks.
But it gets even more sinister. IPIDEA has released standalone apps, promising consumers "easy cash" in exchange for installing the app and allowing it to use their "unused bandwidth."
Residential proxy networks offer a double-edged sword. While they can route traffic through IP addresses owned by ISPs, they also provide a perfect disguise for malicious actors.
"Residential proxy network operators need code running on consumer devices to enroll them as exit nodes," GTIG explains. "Some users knowingly install this software, lured by the promise of monetizing their spare bandwidth."
IPIDEA's role in facilitating botnets, including the China-based BADBOX 2.0, has made it notorious. In July 2025, Google sued 25 unnamed individuals or entities in China for allegedly operating this botnet and its proxy infrastructure.
The proxy applications from IPIDEA not only route traffic but also pose a severe risk to consumers, as they aim to compromise the devices they're installed on.
IPIDEA's proxy network is not a single entity but a collection of well-known residential proxy brands, including Ipidea, 360 Proxy, and Cherry Proxy.
"The same actors control these brands and several domains related to SDKs for residential proxies," Google said.
These SDKs, marketed to third-party developers as a way to monetize their apps, are embedded into existing applications. Developers are paid per download, turning devices into proxy network nodes.
The SDKs, including Castar SDK and Hex SDK, have significant overlaps in their command-and-control infrastructure and code. They follow a two-tier system, with infected devices contacting Tier One servers to retrieve Tier Two nodes.
Besides proxy services, IPIDEA actors control domains offering free VPN tools, which are also engineered to join the proxy network as exit nodes.
GTIG identified 3,075 unique Windows binaries that have sent requests to Tier One domains, some disguised as OneDriveSync and Windows Update. Additionally, 600 Android applications from multiple sources have been flagged for containing code connecting to Tier One C2 domains.
A spokesperson for the Chinese company involved has admitted to "relatively aggressive market expansion strategies" and "promotional activities in inappropriate venues." However, they claim to "explicitly oppose any form of illegal or abusive conduct."
To counter the threat, Google has updated Google Play Protect to automatically warn users about apps containing IPIDEA code. Certified Android devices will automatically remove these malicious applications.
"Enforcement and verification are challenging given intentionally murky ownership structures and reseller agreements," Google said.
This story is a reminder of the constant cat-and-mouse game between tech giants and cybercriminals. As we navigate the digital world, it's crucial to stay informed and vigilant.
What are your thoughts on this revelation? Do you think Google's actions are enough to deter future malicious activities? Share your opinions in the comments below!
