The underlying ecosystem of legitimate proxy and VPN providers might appear to be fragmented at the surface, but as far as Google is concerned, there is something much more coordinated and deceptive below the surface. In a recent investigation conducted by Google's Threat Intelligence Group, an extensive operation centered on an elaborate network known as IPIDEA was uncovered.
IPIDEA, the network, allegedly exercised covert control over several proxy and VPN brands that presented themselves as independent, trustworthy entities.
It is now clear that these brands are managed by the very same malicious operators, who employ misleading practices to steal residential IP addresses from unwitting users and combine them with an immense proxy infrastructure, which is the result of the research.
As part of the IPIDEA ecosystem of proxy and virtual private network services, Google has taken coordinated action to dismantle what it believes to be one of the largest residential proxy networks in the world, as it moves against it.
Through this effort, which is being conducted in collaboration with external partners, it is being hoped that infrastructure will be ripped apart that has historically enabled cybercrime, espionage, and large-scale fraud by making use of the false identities of ordinary internet users to disguise malicious activity behind their internet connections.
Using IPIDEA's software development kits, Google's Threat Intelligence Group was able to enroll compromised devices in botnets as well as use its proxy services to manage and exploit those compromised devices at large scale. It was Google's legal measures that disrupted these activities, resulting in the takedown of dozens of domain names that were used to route proxy traffic and control infected systems in an effort to prevent further attacks.
Although IPIDEA used to advertise themselves as a leading global proxy provider with millions of daily updated residential IP addresses, its primary website is no longer accessible, despite previously advertising itself as a leading global proxy provider.
According to Google, the network's infrastructure had been utilized by more than 550 distinct threat groups globally up until this month, spanning cybercriminal enterprises and state-aligned actors from countries such as China, Russia, Iran, and North Korea, according to Google.
Researchers reported that a variety of activities were observed, including intrusions into SaaS environments as well as on-premises networks, password-spray campaigns, and broader espionage operations.
A residential proxy service has become a central enabler of modern threats by giving attackers the ability to blend in with legitimate internet traffic at home and evade detection as a means of escaping detection, a statement underscored by the report.
It is not known whether Google's Threat Intelligence Group has officially attributed IPIDEA's operation to a particular individual, but the artifacts that were gathered during the investigation may give some insight into the operation.
As a result of the research, digital certificates analyzed by researchers were linked to Hong Kong-based business entities, which indicated that the network was backed up by an organizational structure.
As Google claims, the operators exercised centralized control over at least 13 different proxy and virtual private network brands, including IPIDEA, 360 Proxy, ABC Proxy, Luna Proxy, and PIA S5 Proxy, which appeared to be independent services.
A significant part of the network's expansion was fueled by the covert distribution of software development kits that were embedded in seemingly legitimate applications. This was a strategy that led users to turn their devices into residential exit nodes that could route third party traffic for a considerable period of time.
Over 600 Android applications and over 3,000 Windows programs were found in Google's search results that contained the code for IPIDEA, many of which were marketed as utilities, games, or VPN tools.
Even though the SDKs were marketed to developers as benign mechanisms for monetizing their applications, they often offered payouts based on the number of installs and wide compatibility between platforms, but researchers found that the underlying functionality enabled large amounts of consumer devices to be repurposed as proxy infrastructures, raising concerns about how unsuspecting users were lured into such an operation without the awareness or consent of the users themselves.
There are many technical and commercial mechanisms underlying IPIDEA that have been examined by Google in greater detail, revealing a highly organized and adaptive proxy ecosystem rather than a single service, as portrayed by the company in its investigation. As the company pointed out, IPIDEA controlled multiple monetization software development kits, including Castar, Earn, Hex, and Packet, all of which shared similar code patterns and command-and-control infrastructures.
It was known that these SDKs used a two-tier system, through which infected devices connected first to tier-one domains and obtained instructions and connection details from a rotating pool of around 7,400 tier-two servers, a number that fluctuated daily and was determined by operational conditions.
In addition to proxy services, the same infrastructure could also be embedded in VPN applications, like Galleon VPN, Radish VPN, and the now-defunct Aman VPN, that provided the users with functionality they expected. Additionally, devices were also enrolled as exit nodes in the proxy network at the same time.
During its investigation, Google discovered that there were more than 3,500 Windows executables and over 600 Android applications communicating with IPIDEA-controlled domains, most of them masquerading as legitimate system utilities, games, or content apps.
Consequently, Google and its partners began seeking legal action to dismantle the network's command-and-control and marketing domains, updated Google Play Protect so users would receive warnings and that affected applications would be automatically removed from certified devices.
In addition, he pointed out that such proxy services can pose a wider range of risks, since they can not only route third party traffic but also deliver malicious traffic to enrolled devices.
According to the company, IPIDEA represents only one element of a larger ecosystem involving residential proxy abuse, encompassing not only IPIDEA but other tools such as ByteConnect and services from AISURU and Kimwolf as well.
As a result, SDKs geared towards monetization are becoming increasingly popular as a means of exploitation of large-scale consumer devices.
In the case of IPIDEA, researchers believe that there is an underlying threat to residential proxy services, which blurs the line between legitimate infrastructure and covert abuse, illustrating a broader and growing risk.
According to Google’s research, such networks thrive when user trust is exploited, inserted into everyday applications, and consumer VPN tools, while quietly transforming personal devices into operational assets for cybercriminals as well as state-aligned actors.
Argus warns that an increasingly sophisticated technology infrastructure allows malicious traffic to blend seamlessly into normal household internet activity and that a greater level of scrutiny is needed for third-party SDKs and better safeguards around app monetization practices. This is the state of affairs with the increasing sophistication and scale of these operations.
IPIDEA has been disrupted and protections are tightened through Google Play Protect as a result of disrupting IPIDEA's infrastructure. In addition to neutralizing a single network, the company said it wanted to raise awareness that seemingly benign digital services can be weaponized and that developers, platform providers, and users must remain vigilant against hidden proxy abuse in order to prevent it from occurring.
