Google has announced the dismantling of a large-scale cyber network that allegedly targeted more than 90 million Android and smart devices worldwide by secretly converting them into components of a residential proxy infrastructure.
Hidden SDKs in 600+ Free Apps
According to the company’s investigation, the operation functioned through hidden software development kits (SDKs) embedded inside more than 600 free applications. These apps appeared to offer legitimate services such as utility tools, VPN services, and other free-download programs but secretly operated in the background to route internet traffic through user devices.
Stealth Proxy Relay Infrastructure
Cybersecurity researchers said the network worked by enrolling devices into a proxy relay system without user knowledge. Once activated, the compromised devices were used to forward internet traffic for third parties. Such infrastructure can be exploited for activities including website scraping, automated login attempts, and masking the origin of cyber operations.
Investigators stated that the infected applications generally functioned normally, which made detection difficult. Users did not notice significant performance degradation, battery drain, or operational disruption in most cases. The stealth nature of the system allowed the proxy network to remain active for extended periods.
FCRF Launches Flagship Certified Fraud Investigator (CFI) Program
IPIDEA Network Linked to 550 Threat Groups
Google’s Threat Intelligence Group linked the infrastructure to a company identified as IPIDEA. While the firm claimed its services were intended for legitimate market research and business data analytics, Google’s findings suggested that the system was widely misused by threat actors operating across multiple cybercrime ecosystems.
The investigation revealed that during a single seven-day monitoring period, more than 550 cyber threat groups were observed using IP addresses associated with the network. Security analysts suspect that the groups included organized cybercriminal networks as well as some state-affiliated actors, although definitive attribution remains under review.
Legal Action and Play Protect Upgrade
To neutralize the operation, Google initiated legal proceedings in a United States federal court seeking seizure of domains used to control the proxy infrastructure. The company also collaborated with cybersecurity firms, including Cloudflare, to disrupt command-and-control servers associated with the network.
Google upgraded its built-in Play Protect security system to improve detection of malicious SDK components embedded inside applications. The updated system is designed to automatically scan, identify, and remove suspicious software from certified Android devices.
Third-Party App Store Warnings
However, the company warned that many affected applications were distributed outside the official Google Play Store. Security specialists highlighted that third-party app stores, unauthorized APK files, and uncertified Android devices remain highly vulnerable to cyber infiltration.
User Safety Recommendations
The investigation also found that several proxy brands and SDK identifiers were visually different but operated within the same underlying infrastructure. This complexity made it extremely difficult for ordinary users to determine whether an application was safe or secretly exploiting device resources.
Cybersecurity experts advised users to download applications only from official app stores and remain cautious about programs offering monetary rewards or incentives in exchange for sharing unused internet bandwidth. Such apps may secretly allow their network traffic to be used by unknown third parties.
Professionals warned that free applications are often not entirely free in practice. In many cases, users unknowingly pay through the use of their internet bandwidth, device processing power, or data privacy exposure.
Security researchers emphasized the importance of regularly reviewing installed apps, removing unused software, and updating devices with the latest security patches. Enabling multi-layer authentication for important online accounts was also recommended.
Experts believe residential proxy hijacking represents an emerging global cybersecurity threat because it allows malicious traffic to be disguised as normal household internet usage. The incident underscores the growing need for digital awareness, safer application ecosystems, and responsible online behavior among smartphone users.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
