Google pulls millions of devices from IPIDEA residential proxy network

Residential proxies distribute network traffic from customers to devices located in end-user areas of internet providers. Cybercriminals often route their data through these to obscure their origin. Now, Google's Threat Intelligence Team has delivered a significant blow to what was previously the largest residential proxy network, IPIDEA.

On the one hand, Google, together with partners, has taken domains offline that were used to control devices and proxy traffic. On the other hand, the IT researchers have shared technical information about software development kits (SDKs) and the proxy software developed with them for the IPIDEA network with platform providers, law enforcement, and research institutions to raise awareness among all potentially affected parties.

The SDKs are offered to developers across multiple mobile and desktop platforms and are used to secretly add users' devices to the IPIDEA network. The joint action against these SDKs helps to curb the network's further spread. On certified Android devices, Google has also tightened security mechanisms. Google Play Protect is now supposed to warn users and remove apps containing the IPIDEA SDK -- and prevent their future installation.

Coveted Residential Proxy Addresses

IP addresses from countries like the USA, Canada, and Europe are particularly sought after, explains Google in its analysis. The proxy software is either pre-installed on devices or comes onto smartphones with trojanized app versions, Google further elaborates. Some users might even willingly install such software, lured by the promise of monetizing their available bandwidth. Once devices are registered in the residential proxy network, operators sell access to it to their customers.

Operators of such proxy networks often emphasize privacy and freedom of expression as benefits of residential proxies. However, Google's investigations show that these networks are overwhelmingly used by malicious actors. IPIDEA has gained notoriety for hosting multiple botnets. The SDK therefore plays a key role in adding devices to botnets. This affects the Badbox 2.0 botnet, the Aisuru botnet, and the Kimwolf botnet, among others.

Google has also observed IPIDEA being used by threat actors to carry out espionage and commit crimes. In a single seven-day period in January, Google was able to track more than 550 cyber gangs attempting to conceal their activities with IPIDEA exit nodes. These included groups from China, Iran, North Korea, and Russia. They used these to gain unauthorized access to victims' Security-as-a-Service (SaaS) environments and on-premises infrastructure and to launch password spraying attacks.

In their investigation, Google's IT security researchers found 3075 executable Windows files and over 600 Android apps containing references to the command-and-control network's Tier 1 domains. A large proportion of the mobile apps had normal functions as tools, games, or content viewers, but they used the IPIDEA SDKs and activated proxy behavior for monetization. The analysis also includes some indicators of compromise (IOCs) that interested parties can use to check their systems for potential infections.

In 2024, for example, the identity management service provider Okta warned of an increase in credential stuffing attacks. These also originated from residential proxies.

(dmk)