Google Takes Down an Invisible Network That Was Secretly Using Your Phone’s Internet
Google has announced a major crackdown on IPIDEA, a large-scale residential proxy network that quietly hijacked millions of everyday devices and used their internet connections to power cybercrime operations around the world.
According to Google’s Threat Intelligence Group (GTIG), IPIDEA turned smartphones, PCs, and other connected devices into part of a proxy network that criminals could rent, allowing malicious traffic to appear as if it were coming from normal home internet connections rather than data centers.
How IPIDEA Worked
Residential proxy networks are especially dangerous because they hide attacks behind real consumer IP addresses, making them far harder to detect and block. IPIDEA achieved this by embedding its infrastructure into hundreds of apps and software development kits (SDKs) used for monetization.
These SDKs included names such as PacketSDK, EarnSDK, HexSDK, and CastarSDK. Once installed, they could quietly recruit a device into IPIDEA’s proxy pool without clearly informing the user. As a result, affected devices became exit nodes that routed traffic for third parties, often without the owner’s knowledge.
Powering Global Cybercrime
Google revealed that the IPIDEA network was used by more than 550 tracked threat groups in a single week. These groups included advanced persistent threat actors and organized cybercriminals linked to multiple countries.
The compromised proxy network supported a wide range of malicious activities, including:
- Credential stuffing attacks
- Espionage operations
- Distributed denial-of-service (DDoS) attacks
- Concealing command-and-control servers
Because the traffic appeared to originate from legitimate residential connections, it was significantly more difficult for security systems to block.
Google’s Takedown Operation
This week, Google carried out a coordinated response using both legal and technical measures. The company shut down dozens of domains associated with IPIDEA that were used to operate and promote the proxy service and its SDKs.
Google also updated Google Play Protect to detect and remove affected Android apps. At the same time, intelligence was shared with industry partners such as Cloudflare and Lumen’s Black Lotus Labs to help disrupt IPIDEA’s backend infrastructure.
Millions of Devices Freed
As a result of these actions, Google says the number of hijacked devices available for abuse has dropped by millions. Around nine million Android devices were disconnected from the network, along with the removal of hundreds of compromised apps.
While Google acknowledged that not every component of IPIDEA has been eliminated, the disruption significantly limits the operators’ ability to scale or expand future abuse.
Google emphasized that this takedown highlights the growing risks posed by hidden proxy networks and the importance of continuous monitoring, app security enforcement, and collaboration across the cybersecurity industry.
Origin: Androidcentral
