In a major cybersecurity crackdown, Google has dismantled a large-scale cyber network that allegedly targeted more than 90 million Android and smart devices worldwide. The operation secretly converted devices into parts of a residential proxy infrastructure.
Hidden SDKs found in 600+ free apps
According to the investigation, the network operated through hidden software development kits (SDKs) embedded in more than 600 free apps. These apps appeared legitimate, offering utility tools, VPN services, and other free downloads. However, they secretly routed internet traffic through users’ devices in the background.
Stealth proxy relay system
Cybersecurity researchers found that devices were enrolled into a proxy relay system without user knowledge. Once active, infected devices forwarded internet traffic for third parties. This setup could be used for website scraping, automated login attempts, and hiding the origin of cyber activities.
Most infected apps functioned normally, making detection difficult. Users generally did not notice performance issues or battery drain. This allowed the network to remain active for long periods.
IPIDEA linked to 550 threat groups
Google Threat Intelligence Group linked the infrastructure to a company identified as IPIDEA. While the firm claimed its services supported market research and data analytics, findings suggested misuse across cybercrime networks.
During a 7-day monitoring period, more than 550 cyber threat groups were observed using IP addresses linked to the network. Analysts believe the users included organized cybercriminal groups and some state-affiliated actors, though final attribution is still under review.
Legal action and security upgrades
Google filed legal action in a United States federal court to seize domains controlling the network. The company also worked with Cloudflare to disrupt command-and-control servers.
It upgraded its Play Protect system to better detect malicious SDKs. The system can now automatically scan and remove suspicious software from certified Android devices.
Warning on third-party apps
Google warned that many infected apps were distributed outside the official Play Store. Third-party app stores, APK files, and uncertified devices remain high-risk.
Experts advised users to download apps only from trusted sources and avoid apps offering money for sharing unused bandwidth. Users should review installed apps, remove unused software, update devices, and enable multi-layer authentication.
Researchers say residential proxy hijacking is an emerging global threat, as it disguises malicious traffic as regular home internet usage.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
