Google’s Threat Analysis Group identified unusual high-volume outbound traffic from millions of internet-connected devices worldwide, revealing a massive distributed relay system operated by Chinese company IPIDEA. The company embedded software development kits into apps, turning devices into proxy exit nodes. Google obtained a federal court order to shut down the network’s domains and infrastructure.
The Threat Analysis Group first detected traffic patterns across millions of private phones, computers, and smart home devices that forwarded data for third parties. These patterns deviated from standard malware signatures, pointing instead to coordinated relay operations. Google determined IPIDEA orchestrated the system, which functioned as the largest residential proxy network disrupted to date.
IPIDEA integrated its software development kits into over 600 different apps and desktop programs. These included free games, utility tools, and productivity applications that users downloaded routinely. Once installed, the kits enabled devices to serve as exit nodes, relaying internet traffic from other sources. In this setup, data requests passed through the infected devices, concealing the original sender’s identity.
Residential proxy networks like IPIDEA’s utilized personal IP addresses from everyday devices for high-volume data flows. Legitimate proxies aid privacy tools and enterprise testing, but this operation exploited unsuspecting users’ hardware without their knowledge. Google recorded the network’s peak at more than 9 million Android phones globally.
The SDKs avoided traditional malware tactics by leveraging permissions embedded in Android’s architecture. Device owners granted these permissions during app installations, allowing outbound connections without triggering typical security alerts. Researchers spotted the activity through the volume of traffic originating from residential IP addresses, which stood out against normal usage.
In 2025, external attackers identified a vulnerability in IPIDEA’s infrastructure. They seized control, repurposing millions of compromised devices into a botnet named Kimwolf. This botnet directed distributed denial-of-service attacks against various targets, amplifying the network’s risks beyond its original proxy role.
IPIDEA confirmed that criminal actors had misused its platform. Despite this acknowledgment, the company refused to follow Google’s court order demanding the dismantling of its services. The order targeted the backend systems coordinating traffic across continents.
Google executed a coordinated shutdown of the web domains and supporting infrastructure. This action severed the connections linking the proxy nodes, halting operations that had persisted for years undetected by most users.
Google Play Protect, the security scanner integrated into Google Play, now detects and blocks IPIDEA SDK libraries. This protection applies to apps downloaded from the official store. Devices with apps from third-party sources lack this safeguard, leaving them exposed to similar SDK-based proxy functions.
The incident exposed difficulties in mobile security detection. Proxy SDKs share data flows with analytics trackers and ad networks, all involving developer-third-party communications. Distinguishing unauthorized proxying from standard operations requires analyzing subtle traffic anomalies rather than overt malicious code.
Users face risks from downloading free or cracked applications from unverified sources. Such apps often contain hidden SDKs that enroll devices in proxy networks. Android’s defenses target classic malware profiles, permitting SDK exploitation to evade scans.
Featured image credit
