Disrupting the largest residential proxy network

原始链接: https://cloud.google.com/blog/topics/threat-intelligence/disrupting-largest-residential-proxy-network

## 谷歌打击大型住宅代理网络 – IPIDEA 谷歌与合作伙伴共同采取行动，打击了全球最大的住宅代理网络之一 IPIDEA。这些网络通过将流量路由至普通消费者的互联网连接（通常在不知情的情况下）来掩盖恶意活动，从而使检测和阻止攻击变得困难。 IPIDEA 通过具有欺骗性的软件开发工具包 (SDK) 在应用程序中运行，将用户设备注册为代理“出口节点”，并出售对其带宽的访问权限。谷歌通过合法下架控制域、分享威胁情报以及更新 Google Play Protect 以警告和移除使用 IPIDEA SDK 的应用程序来做出响应。此次打击严重破坏了 IPIDEA 的网络，影响了数百万设备，并可能影响相关的代理服务，如 360 Proxy、Door VPN 和 Luna Proxy。谷歌的研究表明，IPIDEA 助长了许多僵尸网络（BadBox2.0、Aisuru、Kimwolf），并被来自中国、朝鲜、伊朗和俄罗斯的威胁行为者用于间谍活动、犯罪和信息行动。住宅代理对成为出口节点的用户的设备构成风险，可能使他们面临安全漏洞并被标记为可疑的在线行为。谷歌将继续致力于构建更安全的数字生态系统，打击这些欺骗性和有害行为。

谷歌已破坏一个大型住宅代理网络，该网络通过IPIDEA SDK运行，影响了Android设备，以及令人惊讶的是，较旧的WebOS（LG）设备。该网络利用不知情的用户设备来路由互联网流量，可能用于恶意目的。 Google Play Protect已更新，可以自动警告并移除使用IPIDEA SDK的应用，防止未来安装。此举值得注意，因为一些用户对Play Protect的有效性表示惊讶。 Hacker News上的讨论强调，WebOS的发现表明LG生态系统中可能存在更多未被检测到的恶意软件，并质疑为什么三星设备没有也被该SDK攻击。此次破坏旨在提高更广泛的数字环境的安全性。

原文

Introduction

This week Google and partners took action to disrupt what we believe is one of the largest residential proxy networks in the world, the IPIDEA proxy network. IPIDEA’s proxy infrastructure is a little-known component of the digital ecosystem leveraged by a wide array of bad actors.

This disruption, led by Google Threat Intelligence Group (GTIG) in partnership with other teams, included three main actions:

Took legal action to take down domains used to control devices and proxy traffic through them.
Shared technical intelligence on discovered IPIDEA software development kits (SDKs) and proxy software with platform providers, law enforcement, and research firms to help drive ecosystem-wide awareness and enforcement. These SDKs, which are offered to developers across multiple mobile and desktop platforms, surreptitiously enroll user devices into the IPIDEA network. Driving collective enforcement against these SDKs helps protect users across the digital ecosystem and restricts the network's ability to expand.
These efforts to help keep the broader digital ecosystem safe supplement the protections we have to safeguard Android users on certified devices. We ensured Google Play Protect, Android’s built-in security protection, automatically warns users and removes applications known to incorporate IPIDEA SDKs, and blocks any future install attempts.

We believe our actions have caused significant degradation of IPIDEA’s proxy network and business operations, reducing the available pool of devices for the proxy operators by millions. Because proxy operators share pools of devices using reseller agreements, we believe these actions may have downstream impact across affiliated entities.

Dizzying Array of Bad Behavior Enabled by Residential Proxies

In contrast to other types of proxies, residential proxy networks sell the ability to route traffic through IP addresses owned by internet service providers (ISPs) and used to provide service to residential or small business customers. By routing traffic through an array of consumer devices all over the world, attackers can mask their malicious activity by hijacking these IP addresses. This generates significant challenges for network defenders to detect and block malicious activities.

A robust residential proxy network requires the control of millions of residential IP addresses to sell to customers for use. IP addresses in countries such as the US, Canada, and Europe are considered especially desirable. To do this, residential proxy network operators need code running on consumer devices to enroll them into the network as exit nodes. These devices are either pre-loaded with proxy software or are joined to the proxy network when users unknowingly download trojanized applications with embedded proxy code. Some users may knowingly install this software on their devices, lured by the promise of “monetizing” their spare bandwidth. When the device is joined to the proxy network, the proxy provider sells access to the infected device’s network bandwidth (and use of its IP address) to their customers.

While operators of residential proxies often extol the privacy and freedom of expression benefits of residential proxies, Google Threat Intelligence Group’s (GTIG) research shows that these proxies are overwhelmingly misused by bad actors. IPIDEA has become notorious for its role in facilitating several botnets: its software development kits played a key role in adding devices to the botnets, and its proxy software was then used by bad actors to control them. This includes the BadBox2.0 botnet we took legal action against last year, and the Aisuru and Kimwolf botnets more recently. We also observe IPIDEA being leveraged by a vast array of espionage, crime, and information operations threat actors. In a single seven day period in January 2026, GTIG observed over 550 individual threat groups that we track utilizing IP addresses tracked as IPIDEA exit nodes to obfuscate their activities, including groups from China, DPRK, Iran and Russia. The activities included access to victim SaaS environments, on-premises infrastructure, and password spray attacks. Our research has found significant overlaps between residential proxy network exit nodes, likely because of reseller and partnership agreements, making definitive quantification and attribution challenging.

In addition, residential proxies pose a risk to the consumers whose devices are joined to the proxy network as exit nodes. These users knowingly or unknowingly provide their IP address and device as a launchpad for hacking and other unauthorized activities, potentially causing them to be flagged as suspicious or blocked by providers. Proxy applications also introduce security vulnerabilities to consumers’ devices and home networks. When a user’s device becomes an exit node, network traffic that they do not control will pass through their device. This means bad actors can access a user’s private devices on the same network, effectively exposing security vulnerabilities to the internet. GTIG’s analysis of these applications confirmed that IPIDEA proxy did not solely route traffic through the exit node device, they also sent traffic to the device, in order to compromise it. While proxy providers may claim ignorance or close these security gaps when notified, enforcement and verification is challenging given intentionally murky ownership structures, reseller agreements, and diversity of applications.

The IPIDEA Proxy Network

Our analysis of residential proxy networks found that many well-known residential proxy brands are not only related but are controlled by the actors behind IPIDEA. This includes the following ostensibly independent proxy and VPN brands:

360 Proxy (360proxy\.com)
922 Proxy (922proxy\.com)
ABC Proxy (abcproxy\.com)
Cherry Proxy (cherryproxy\.com)
Door VPN (doorvpn\.com)
Galleon VPN (galleonvpn\.com)
IP 2 World (ip2world\.com)
Ipidea (ipidea\.io)
Luna Proxy (lunaproxy\.com)
PIA S5 Proxy (piaproxy\.com)
PY Proxy (pyproxy\.com)
Radish VPN (radishvpn\.com)
Tab Proxy (tabproxy\.com)

The same actors that control these brands also control several domains related to Software Development Kits (SDKs) for residential proxies. These SDKs are not meant to be installed or executed as standalone applications, rather they are meant to be embedded into existing applications. The operators market these kits as ways for developers to monetize their applications, and offer Android, Windows, iOS, and WebOS compatibility. Once developers incorporate these SDKs into their app, they are then paid by IPIDEA usually on a per-download basis.