- Google disrupts IPIDEA, a huge residential proxy network exploiting millions of devices
- More than 550 threat groups used IPIDEA for espionage, credential theft, and botnet operations.
- Legal Actions, Domain Seizures, and Play Protect Updates Reduced Proxy Device Pool by Millions
Google has stated that it attacked one of the largest residential proxy networks today, disrupting hundreds of cybercriminal groups and possibly thousands of hacking operations.
On its blog, Google’s Threat Intelligence Group (GTIG) said it discontinued IPIDEA, a popular residential proxy service that serves millions of Android, Windows and other devices.
GTIG says IPIDEA relied on software development kits (SDKs), which were advertised to software developers as a way to monetize their applications. However, applications that included these SDKs actually assimilated the devices into the proxy network, without the users’ knowledge or consent. Typically, residential proxy networks comprise routers, modems, DVRs, smart home devices, and different sensors. In some cases, cheap Android TVs and set-top boxes came with the malware pre-installed, also suggesting a sophisticated supply chain compromise.
Disrupting hundreds of threat actors
To disrupt IPIDEA, Google took legal action to seize domains used for command and control and marketing, shared technical intelligence with industry partners and law enforcement, and updated Google Play Protect to automatically remove apps containing IPIDEA SDKs.
Google says these actions reduced the pool of available proxy devices by millions and degraded the network’s ability to operate, although it warns that the residential proxy market remains a rapidly growing “gray market” that continues to enable large-scale cybercrime.
“We believe our actions have caused significant degradation of IPIDEA’s proxy network and business operations, reducing the pool of devices available to proxy operators by millions,” Google said.
“Because proxy operators share groups of devices through reseller agreements, we believe these actions may have a downstream impact on affiliated entities.”
Google linked IPIDEA with several well-known proxy and VPN brands, showing that they all shared the same backend infrastructure. Some of the names he mentioned include ABC Proxy, Galleon VPN, PIA S5 Proxy, Radish VPN, and Tab Proxy.
The researchers also said that in a single week, more than 550 known and tracked threat actor groups used IPIDEA, including groups with ties to China, Russia, Iran and North Korea. The proxy servers were allegedly used for espionage, credential attacks, botnet control, and access to compromised enterprise and cloud environments.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
