Google on Wednesday announced the disruption of IPIDEA, believed to be one of the largest residential proxy networks worldwide.
IPIDEA’s operators used software development kits (SDKs) and proxy software that developers embedded in their mobile and desktop applications, and which enrolled users’ devices into the network.
The IPIDEA takedown, Google says, involved both legal action against control and proxy domains, and sharing intelligence on the SDKs and proxy software used in the operation.
According to Google, the disruption reduced “the available pool of devices for the proxy operators by millions”, causing “significant degradation of IPIDEA’s proxy network and business operations”.
“Because proxy operators share pools of devices using reseller agreements, we believe these actions may have downstream impact across affiliated entities,” Google notes.
The threat actors behind IPIDEA were controlling over a dozen independent proxy and VPN brands, as well as domains related to SDKs for residential proxies.
Providing Android, iOS, Windows, and WebOS support, the SDKs were marketed as monetization means for developers, who were paid by IPIDEA’s operators, usually on a per-download basis.
Once the applications were installed, the SDKs turned users’ devices into exit nodes for the proxy network, typically without their knowledge.
“While many residential proxy providers state that they source their IP addresses ethically, our analysis shows these claims are often incorrect or overstated. Many of the malicious applications we analyzed in our investigation did not disclose that they enrolled devices into the IPIDEA proxy network,” Google says.
IPIDEA, Google says, controlled Castar SDK, Earn SDK, Hex SDK, and Packet SDK, and used a two-tier infrastructure system, where devices would connect to a domain to receive data on the tier two nodes to connect to.
While the SDKs had different tier one domains, they all used a shared pool of approximately 7,400 tier two servers. The number of tier two nodes would change daily, based on demand.
IPIDEA also controlled VPN applications that provided the expected functionality but also enrolled devices into the proxy network. The identified apps include Galleon VPN, Radish VPN, and Aman VPN.
Google identified 3,075 unique Windows PE file hashes and more than 600 Android applications connecting to tier one domains.
Google and its partners took legal action to take down the command-and-control (C&C) domains used by the proxy network, as well as domains that the threat actors used for marketing purposes. It also added policies to Google Play Protect to remove IPIDEA SDKs from certified Android devices.
“We’ve worked closely with other firms, including Spur and Lumen’s Black Lotus Labs to understand the scope and extent of residential proxy networks and the bad behavior they often enable. We partnered with Cloudflare to disrupt IPIDEA’s domain resolution, impacting their ability to command and control infected devices and market their products,” Google notes.
Related: RedVDS Cybercrime Service Disrupted by Microsoft and Law Enforcement
Related: Kimwolf Android Botnet Grows Through Residential Proxy Networks
Related: $29 Million Worth of Bitcoin Seized in Cryptomixer Takedown
Related: Google Says Chinese ‘Lighthouse’ Phishing Kit Disrupted Following Lawsuit
