DIGITAL LIFE

Google dismantles network in China that used 9 million Androids for cybercrimes

If you've noticed your smartphone is slow or consuming more data than usual, it might not be your fault. Google has just announced one of the largest cleanup operations in Android history, dismantling a massive network that silently used about nine million devices worldwide as "gateways" to the internet, without their owners suspecting anything.

The operation targeted the China-based company Ipidea, which is accused of operating the world's largest "residential proxy network." In practice, Ipidea transformed millions of cell phones, computers, and smart devices belonging to ordinary people into an infrastructure rented to criminals.

The scheme was simple and insidious. Ipidea convinced developers of free applications (games, utilities, etc.) to include a secret software development kit (SDK) in their applications, paying them for each installation.

When a user installed one of these “free” apps, the SDK turned the device into a proxy. This allowed hackers and cybercriminals to route their internet traffic through the victim's phone.

The result: To the outside world, it appeared that the criminal activity (such as fraud or computer attacks) was being carried out by the innocent phone owner, concealing the true identity of the attackers.

This network was the basis for the creation of the Kimwolf botnet, which last year hijacked millions of devices to launch devastating DDoS attacks, considered the most powerful ever observed.

IPIDEA, one of the world's largest residential proxy networks...John Hultquist, chief analyst at Google Threat Intelligence Group (GTIG), highlighted the danger of these networks.

According to him, residential proxies are common tools, used for everything from sophisticated espionage to large-scale criminal schemes.

“By routing traffic through a person's home connection, attackers can hide in plain sight while invading corporate environments.

By taking down IPIDEA's infrastructure, we were able to dismantle a global marketplace that sold access to millions of hijacked consumer devices.”

Google also revealed that, until recently, IPIDEA's infrastructure was used by more than 550 threat groups with varied motivations, such as cybercrime, espionage, advanced persistent operations (APTs), and disinformation campaigns, originating from countries such as China, North Korea, Iran, and Russia.

These activities included access to SaaS environments and local infrastructure, as well as password spray attacks.

A recent study by Synthient showed that malicious actors behind the AISURU/Kimwolf botnet exploited vulnerabilities in residential proxy services, such as IPIDEA, to send commands to vulnerable IoT devices behind firewalls, spreading malware.

This malware, capable of transforming consumer devices into proxy endpoints, is secretly installed in applications and games already pre-installed on Android TV streaming boxes from little-known brands.

In this way, these infected devices begin to relay malicious traffic and participate in distributed denial-of-service (DDoS) attacks.

In addition, IPIDEA launched independent apps, aimed directly at users interested in making "easy money," offering payment for installing the applications and allowing the use of their "idle bandwidth."

Residential proxy networks allow traffic routing through IP addresses provided by internet service providers (ISPs), but they are also ideal for criminals to disguise the origin of malicious actions.

The Google Play Protect cleanup...With a US federal court order in hand, Google took down dozens of back-end systems and websites that controlled the network. In addition, the Google Play Protect security system was updated to automatically identify and remove any app containing Ipidea's malicious code, blocking new installations.

Despite Ipidea claiming that its services were for “legitimate business” use, Google considered the risks unacceptable. This case serves as a stark reminder that "free" on the internet often comes at a hidden cost. The recommendation remains: avoid installing apps from unknown sources and regularly review the permissions and apps you have on your phone.

On January 28, 2026, Google announced it had dismantled a massive, China-based residential proxy network operated by IPIDEA. The operation, supported by a U.S. federal court order, crippled a network that had hijacked approximately 9 million Android devices, along with computers, to facilitate global cybercrime and espionage.

Key details of the operation(below):

The culprit: IPIDEA operated at least 13 residential proxy brands, using software development kits (SDKs) embedded in legitimate-looking apps to turn consumer devices into "exit nodes".

The scale: The botnet comprised over 9 million infected Android devices and other internet-connected, non-Play-certified devices.

The impact: Google’s threat intelligence Group (GTIG) observed over 550 threat groups using IPIDEA’s network in a single week in January 2026 to hide their identities while performing hacking, password-spraying, and other malicious activities.

The action: Google seized dozens of domains, disabled the technical backend, and removed hundreds of associated applications, degrading the network by millions of devices.

How the network operated(below):

IPIDEA’s network acted as a "residential proxy" service, meaning criminals could route their traffic through regular consumers' home Android phones and devices.

Invisible infection: Users likely installed apps that seemed harmless but contained malicious code that turned their device into a proxy relay.

Cybercriminal anonymity: This enabled hackers to make their illegal traffic appear as if it was originating from legitimate residential homes, making it difficult for law enforcement to track them.

Global reach: The compromised devices were used for various malicious actions, including data theft and large-scale, automated attacks.

Broader context: 2025–2026 Android Threats

This action follows a trend of massive, China-linked botnets.

BADBOX 2.0 (July 2025): Google filed lawsuits against 25 Chinese entities for the "BADBOX" botnet, which infected over 10 million Android devices (smart TVs, projectors, tablets) with pre-installed malware.

Lighthouse (Nov 2025): Google sued another group, "Lighthouse," for a phishing-as-a-service platform that targeted over one million victims.

mundophone