Massive Proxy Operation Compromises Over 9 Million Android Devices Worldwide

Google has revealed it dismantled what it describes as the largest residential proxy setup globally. This operation evaded detection for an extended period by commandeering everyday user hardware, such as mobile phones, computers, and connected household gadgets, to route information traffic covertly.

The effort targeted a firm named IPIDEA based in China. Leveraging a U.S. court mandate, Google terminated multiple online platforms and supporting infrastructure, halting the proxy system's functionality.

Essentially, a proxy acts as an intermediary that passes along web requests and stores information temporarily. Consider a scenario where someone aims to conduct a distributed denial-of-service assault; rather than using their own identifiable equipment, they could channel the assault via a collection of borrowed gadgets like other people's phones and computers, masking their involvement.

Google's findings indicate that the IPIDEA proxy encompassed millions of gadgets in total, with a minimum of 9 million being Android mobiles.

Many individuals joined this proxy unwittingly through downloading no-cost mobile applications, entertainment titles, and computer programs that embedded subtle code modules, or SDKs. These components evade malware labels since they avoid limiting device functionality, yet they grant external entities unauthorized entry points.

Through these SDKs, IPIDEA transformed compromised hardware into endpoints for its proxy infrastructure. This enabled the covert transmission and obfuscation of data using the victims' internet addresses without raising alarms.

Google notes that its Play Protect security feature, integrated into the Play Store, effectively identifies and neutralizes IPIDEA's SDKs. In contrast, software from alternative marketplaces or unreliable origins poses greater risks, involving more than 600 titles from diverse providers that facilitated the proxy activities.

By neutralizing IPIDEA's setup, Google prevented the ongoing exploitation of millions of units as proxy relays. IPIDEA, however, asserted to the Wall Street Journal that its offerings served only valid commercial needs and disregarded the judicial directive to cease operations.

That said, IPIDEA acknowledged instances where illicit parties misused its system. During 2025, a flaw allowed intruders to seize control of numerous devices, incorporating them into a botnet dubbed 'Kimwolf,' associated with several denial-of-service campaigns.

Android owners should prioritize avoiding downloads from unfamiliar or unverified channels, as even offerings from reputable platforms might harbor hidden threats. Enhancing security with a dedicated antivirus solution on Android hardware is advisable.