Google Threat Intelligence Group (GTIG), together with industry partners, disrupted IPIDEA by taking down domains and sharing intelligence on its proxy SDKs, infected-device management, and traffic routing infrastructure. IPIDEA covertly enrolled millions of devices through trojanized Android apps and Windows binaries to sell proxy access to over 550 threat groups and support botnets like Aisuru and Kimwolf. #IPIDEA #BadBox2_0
Keypoints
- GTIG and partners disrupted IPIDEA by taking down domains used for infected device management and proxy routing.
- IPIDEA enrolled about 6.7 million devices via at least 600 trojanized Android apps and over 3,000 trojanized Windows binaries embedding proxy SDKs.
- More than 550 distinct threat groups—including actors linked to China, Iran, Russia, and North Korea—used IPIDEA exit nodes for account takeover, credential theft, and botnet control.
- The network supported large DDoS botnets such as Aisuru and Kimwolf and sold access through at least 19 branded proxy services tied to a single centralized operator.
- Google Play Protect now blocks IPIDEA-related SDK apps on certified Android devices, and users should avoid free or paid VPN/proxy apps from untrusted publishers.