Google’s Threat Analysis Group detected unusual high-volume outbound traffic from millions of internet-connected devices. The patterns did not match typical malware signatures. Instead, researchers identified a massive distributed relay system that routed data through private phones, computers, and smart-home devices for a third party.
The operator was a Chinese company named IPIDEA. Google described the takedown as the largest residential proxy network dismantled in history. With a federal court order, Google disabled the web domains and backend infrastructure coordinating the operation. This action shut down a network that had operated for years without device owners’ knowledge.
IPIDEA embedded software development kits, or SDKs, into hundreds of apps and desktop programs. These included free games, utility tools, and productivity applications that users downloaded routinely. Once installed, the SDKs converted devices into exit nodes, forwarding internet traffic and concealing the original sender’s identity.
Proxies of this type relay data requests, often for privacy or testing purposes. IPIDEA, however, used personal devices to handle high-volume traffic. At its peak, the network included over 9 million Android phones worldwide.
Google identified more than 600 apps containing IPIDEA SDK versions with proxy capabilities. Google Play’s Play Protect security scanner now detects and blocks these libraries. Apps from third-party stores, however, remain at risk.
The system avoided traditional malware by leveraging permissions inherent in Android’s architecture. Detection occurred only after researchers observed the volume of traffic from residential IP addresses.
Prior to Google’s action, attackers exploited a flaw in the IPIDEA infrastructure in 2025. They seized control, incorporating millions of devices into a botnet called Kimwolf. This botnet conducted distributed denial-of-service, or DDoS, attacks.
IPIDEA acknowledged that criminal actors had abused its platform. The company did not comply with Google’s court order to dismantle its services. Google has now taken the backend infrastructure offline, halting coordination of traffic across continents.
The incident reveals challenges in mobile security. Proxy SDKs, analytics trackers, and ad networks all involve data flows between developers and third parties. These create overlap between authorized operations and unauthorized use.
Users face risks from downloading free or cracked apps from unverified sources. Android’s defenses block much malicious code, but SDK-based methods evade detection because they mimic legitimate behavior.
