9 million Android phones were secretly hijacked by proxy network
Image: Burdun Iliya/Shutterstock.com
Summary created by Smart Answers AI
In summary:
- PCWorld reports that Google disrupted IPIDEA’s massive proxy network, which secretly hijacked 9 million Android phones through hidden SDKs in free apps.
- The Chinese company exploited these devices as gateways for data distribution and concealing criminal activities, including DDoS attacks via the Kimwolf botnet.
- Google obtained a federal court order to shut down IPIDEA’s operations, protecting millions of users from further device misuse and security breaches.
Google recently announced in a statement that it has disrupted the “world’s largest residential proxy network.” It was able to remain undetected for a long time, hijacking innocent users’ private devices (including smartphones, PCs, and smart home devices) and using them as gateways for distributing data.
The company explains that a Chinese company called IPIDEA was behind it and, with the help of a US federal court order, Google was able to shut down several websites and backend systems, thereby preventing the network from continuing to operate.
In short, a proxy server is like a relay that forwards requests and caches data. For example, suppose an attacker wants to launch a DDoS attack. Instead of attacking with their own traceable devices, the attacker could relay the attacks through a proxy network comprised of smartphones and devices owned by others, thus concealing their own identity.
According to Google, millions of devices belonged to IPIDEA’s proxy network, including at least 9 million Android smartphones.
How users end up in the proxy network
Most users ended up in IPIDEA’s network by installing free apps, games, and desktop software that contained hidden code snippets (known as SDKs) that aren’t recognized as malicious because they don’t restrict the use of the device. They do, however, allow access by third parties.
IPIDEA can therefore use these SDKs to turn an affected device into an exit node for its proxy network. They were then able to forward and conceal data unnoticed through the users’ IP addresses.
According to Google, Google Play Protect (the Play Store’s internal threat scanner) can reliably detect and block IPIDEA SDKs. However, apps from third-party stores or other unsecured sources aren’t so safe. We’re talking about “over 600 applications across multiple download sources … that enabled IPIDEA proxy behavior.”
Is there still a risk?
Google emphasizes that shutting down IPIDEA’s network would prevent millions of devices from continuing to be misused as proxies. IPIDEA, on the other hand, told the Wall Street Journal that its services were intended solely for “legitimate business purposes.” The company did not respond to the court order to shut down its network.
However, IPIDEA admits that other criminal actors have been able to abuse the network. In 2025, attackers managed to exploit a vulnerability in the network and hijack millions of devices. These were added to a botnet called “Kimwolf,” which was linked to various DDoS attacks.
For Android users, it’s particularly important that you never install applications from unknown, unsecure sources. Even apps from seemingly legitimate stores can introduce Trojans. For additional protection, you might want to install an antivirus app on your Android device.
This article originally appeared on our sister publication PC-WELT and was translated and localized from German.
Author: Laura Pippig, Staff Writer, PC-WELT
Laura is an enthusiastic gamer as well as a movie and TV fan. After studying communication science, she went straight into a job at PCMagazin and Connect Living. Since then, she has been writing about everything to do with PCs and technology topics, and has been a permanent editor at our German sister site PC-WELT since May 2024.
