Millions of devices disappear as Google clashes with IPIDEA

IPIDEA clash

Google’s security team recently took major action against IPIDEA, a sprawling residential proxy network that secretly used millions of consumer devices. IPIDEA had enrolled millions of Android phones, PCs, and other connected devices as proxy “exit nodes” without clear user consent.

The operation routed cybercriminal traffic through real residential internet connections, making attacks harder to trace.

Google’s Threat Intelligence Group (GTIG) led legal and technical efforts to dismantle this infrastructure in early 2026. The move significantly reduced the number of devices under IPIDEA’s control.

What IPIDEA was doing?

IPIDEA operated a massive residential proxy network offering access to real ISP-assigned IP addresses. The company’s infrastructure used embedded software development kits (SDKs) to transform ordinary devices into proxy nodes.

This allowed paying customers, including threat groups, to mask their activities and evade detection. The network appeared benign on the surface, with some SDKs bundled in utilities and games. Millions of devices were recruited through deceptive or opaque app behavior.

Millions of hijacked devices

At its peak, IPIDEA’s network included millions of consumer devices being used as proxies worldwide, including Android smartphones, TV boxes, PCs, and other connected hardware. These devices were involuntarily turned into traffic relays through apps and firmware embedding IPIDEA’s proxy SDKs.

Once enrolled, they silently routed data for attackers, obscuring the origins of cyberattacks. Google’s intervention removed millions of devices from the proxy pool.

How SDKs spread the network?

IPIDEA’s SDKs, including PacketSDK, EarnSDK, HexSDK, and CastarSDK, were embedded in hundreds of seemingly harmless apps. Developers sometimes used these kits to monetize free apps by turning user devices into exit nodes.

Many users never knew their devices were participating in a proxy service. Google identified over 600 Android apps containing these SDKs. The dual use of legitimate functionality and proxy capabilities made detection harder.

What residential proxies are?

Residential proxies relay internet traffic through ordinary users’ IP addresses. This makes malicious traffic appear as if it’s coming from normal home networks. Such proxies are especially attractive to threat actors because they evade traditional blocking and detection.

They are used for hiding identities, scraping websites, and bypassing geo-restrictions. But in the IPIDEA case, they were exploited for cybercrime, espionage, and botnet operations.

Threat groups abused the network

Google’s research found that over 550 tracked threat groups leveraged IPIDEA’s infrastructure. These groups came from multiple regions, including China, Russia, Iran, and North Korea.

The proxies enabled activity such as credential stuffing, access to corporate environments, and password spray attacks. This scale indicated that residential proxies had become a key tool for sophisticated cyber campaigns. Google’s takedown was aimed at reducing this risk.

Legal and technical takedown efforts

Google obtained a U.S. federal court order to seize control of domains and backend systems used by IPIDEA. The company also took down multiple associated domains and infrastructure services.

Google collaborated with cybersecurity partners to disrupt the network and prevent it from re-establishing control. These legal and technical efforts were designed to degrade the network’s operational capacity. The court order enabled broader action beyond simple app removal.

Apps and files removed

As part of the crackdown, Google deployed updates to Google Play Protect to identify and remove apps linked to IPIDEA. Hundreds of applications were flagged for containing proxy SDKs.

Google Play Protect now warns users or blocks future installs of suspicious apps on certified Android devices. Additionally, thousands of Windows binaries were identified communicating with the IPIDEA infrastructure. These actions helped sever device connections to the malicious network.

Impact on users and device owners

Millions of consumer devices were exploited as part of the proxy network without explicit consent, affecting many unsuspecting users. This could expose them to privacy violations, security risks, and increased data traffic or battery drain.

Home networks and personal information might be at risk if devices were serving as proxy exit nodes. Google’s action helps prevent further unauthorized use of these devices for malicious purposes. Users are encouraged to review installed apps and permissions.

Botnet and malware connections

Before the takedown, attackers exploited IPIDEA’s infrastructure to build botnets such as Kimwolf, leveraging millions of compromised devices for denial-of-service (DDoS) attacks and other criminal operations.

These botnets used hijacked endpoints to amplify attacks and evade defenses. The use of compromised residential proxies for botnet command-and-control made mitigation more difficult. Google’s disruption reduced the effectiveness of these malicious networks.

Broader cybersecurity implications

The IPIDEA incident underscores the growing threat of residential proxy and botnet networks leveraging consumer devices. Security researchers warn that such infrastructure can enable extensive cybercrime, including espionage and infrastructure attacks.

Removing this kind of malicious system requires coordinated action across industry and law enforcement. The need for stronger app vetting and device protections has never been clearer.

Google warns about proxy risks

Google continues to emphasize that residential proxy services can be abused even when marketed as legitimate tools. Users are advised to avoid installing suspicious VPNs, proxy utilities, or apps requesting excessive network permissions.

Keeping devices updated and maintaining Google Play Protect active helps mitigate exposure. The company also shares threat intelligence with partners to improve ecosystem defenses.

Is your phone affected by these hidden spy apps? Here’s how hidden spy apps leak data of millions.

What comes next against IPIDEA?

Though millions of devices have been removed from IPIDEA’s network, some parts of the system may persist. Continued efforts by Google and cybersecurity partners aim to further reduce the network’s reach.

Ongoing vigilance is needed to avoid resurgence or similar threats. Consumers should stay aware of app sources and monitor device activity. The disruption marks a significant but not final step in combating residential proxy abuse.

Are millions of Apple devices at risk right now? Here’s why Apple sends an urgent warning affecting millions of devices.

Has this news made you check your device for suspicious apps or network use? Tell us in the comments.

This slideshow was made with AI assistance and human editing.

Don’t forget to follow us for more exclusive content on MSN.

Read More From This Brand:

• Hate AI in Google search? Try these options
• Time-saving hacks for Gemini and Google Workspace
• Google Ending Support for Older Nest Devices