Google Shuts Down Malware-Fueled IPIDEA Residential Proxy Networks
Google has recently disrupted IPIDEA, one of the largest residential proxy networks exploited by cybercriminals. This coordinated effort involved the Google Threat Intelligence Group (GTIG) and various industry partners. They focused on dismantling domains linked to IPIDEA’s illegal services, including device management and proxy traffic routing.
Overview of IPIDEA’s Operations
IPIDEA was presented as a VPN service, claiming to encrypt online traffic and conceal users’ IP addresses. It reportedly had 6.7 million users globally. The network utilized residential proxy services by compromising devices, which are often home or small business computers. Infection typically resulted from users downloading trojanized applications masquerading as legitimate tools.
Malicious Activities and Threat Groups
According to Google, residential proxies enable various malicious activities, including:
- Account takeovers
- Creation of fake accounts
- Theft of credentials
- Exfiltration of sensitive data
By routing traffic through compromised consumer devices, attackers can obscure their malicious actions. GTIG identified that over 550 distinct threat groups leveraged IPIDEA’s exit nodes within just one week. These groups included actors from China, Iran, Russia, and North Korea.
Types of Threats Associated with IPIDEA
The malicious activities linked to IPIDEA’s infrastructure included:
- Access to Software-as-a-Service (SaaS) platforms
- Botnet control
- Password spraying
- Obfuscation of infrastructure
Cisco Talos previously connected IPIDEA to significant brute-force attacks targeting VPN and SSH services, highlighting the extent of its operations.
Broader Impact and Network Structure
IPIDEA’s architecture operated on a two-tier command-and-control (C2) system. The first tier managed configurations and timelines, while the second tier, consisting of about 7,400 servers, handled proxy tasks and traffic relays. Google noted that the operators promoted various VPN and proxy applications that covertly added user devices to the IPIDEA network.
Ways Users Could Be Affected
IPIDEA marketed a range of VPN applications, falsely presenting them as trustworthy services. The operators controlled at least 19 brands of residential proxy services through a centralized system. Some of these included:
- 360 Proxy (360proxy.com)
- 922 Proxy (922proxy.com)
- Cherry Proxy (cherryproxy.com)
- Galleon VPN (galleonvpn.com)
- Luna Proxy (lunaproxy.com)
Despite the recent actions taken by Google and its partners, the IPIDEA network operators remain unidentified and may attempt to rebuild their infrastructure.
Advice for Users
Users are advised to remain vigilant against applications that promise payment in exchange for bandwidth, as well as free VPNs from unknown developers. Google Play Protect has enhanced its features to automatically detect and block apps containing IPIDEA-related software development kits (SDKs) on certified devices.
