In a major cybersecurity action, Google has disrupted IPIDEA, described as one of the world’s largest residential proxy networks, after working with industry partners to take down its infrastructure.
Google said it used legal measures to disable dozens of domains that controlled hijacked devices and routed proxy traffic through them. As of now, IPIDEA’s main website is no longer accessible. The service had promoted itself as the “world’s leading provider of IP proxy,” claiming more than 6.1 million daily updated IP addresses and 69,000 new IP addresses every day.
“Residential proxy networks have become a pervasive tool for everything from high-end espionage to massive criminal schemes,” said John Hultquist, chief analyst at Google Threat Intelligence Group (GTIG). “By routing traffic through a person’s home internet connection, attackers can hide in plain sight while infiltrating corporate environments. By taking down the infrastructure used to run the IPIDEA network, we have effectively pulled the rug out from under a global marketplace that was selling access to millions of hijacked consumer devices.”
Google said IPIDEA’s network was used this month by more than 550 threat groups involved in cybercrime, espionage, advanced persistent threats, and information operations. Activity was traced to multiple regions, including China, North Korea, Iran, and Russia. These attacks targeted SaaS platforms, on-premise systems, and included password spray attempts.
“Residential proxies have been used by a whole host of threats, but they’re showing up frequently in incidents involving Russian and Chinese cyber espionage,” Hultquist said. “They’ve been used by APT28 and Sandworm as well as Volt Typhoon.”
Security researchers earlier reported that the AISURU or Kimwolf botnet abused proxy services like IPIDEA to relay commands to vulnerable Internet of Things devices. Malware was hidden inside apps and games pre-installed on low-cost Android TV boxes. Infected devices were then forced to relay traffic and take part in DDoS attacks.
IPIDEA also promoted standalone apps that paid users to install software and share “unused bandwidth.” Google said such networks rely on code embedded into consumer devices, either through preloaded software or trojanized apps. “These devices are either pre-loaded with proxy software or are joined to the proxy network when users unknowingly download trojanized applications,” GTIG said.
The IPIDEA network included multiple proxy brands such as Ipidea, 360 Proxy, 922 Proxy, ABC Proxy, Cherry Proxy, Door VPN, Galleon VPN, IP 2 World, Luna Proxy, PIA S5 Proxy, PY Proxy, Radish VPN, and Tab Proxy. It also controlled SDK tools like Castar SDK, Earn SDK, Hex SDK, and Packet SDK, which developers used to monetize apps by turning user devices into proxy nodes.
Google identified about 7,400 Tier Two command servers and 3,075 Windows files linked to the system. Around 600 Android apps were flagged for containing this proxy code.
Google has updated Play Protect to warn users and automatically remove apps linked to IPIDEA on certified Android devices.
A spokesperson for the Chinese firm behind the service said it had used “relatively aggressive market expansion strategies” and “explicitly opposed any form of illegal or abusive conduct.”
Google said it will continue targeting services that enable botnets such as BADBOX 2.0. Despite the takedown, about 5 million bots are still connecting to command servers, though proxy activity has dropped by about 40%.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
