Google Threat Intelligence Group and partners disrupted the IPIDEA residential proxy network by taking down C2 and marketing domains, sharing SDK and infrastructure intelligence, and enforcing Play Protect to remove apps embedding IPIDEA SDKs. The network had enrolled millions of consumer devices via trojanized or monetized SDKs and was abused by numerous threat groups and botnets including BadBox2.0. #IPIDEA #BadBox2.0
Keypoints
- GTIG led legal takedowns of IPIDEA C2 and marketing domains and coordinated with partners (Cloudflare, Spur, Lumen/Black Lotus Labs) to disrupt domain resolution and infrastructure.
- IPIDEA used monetized SDKs (PacketSDK, EarnSDK, CastarSDK, HexSDK) embedded into legitimate Android, Windows, iOS, and WebOS apps to enroll devices as residential proxy exit nodes.
- The residential proxy network enabled broad abuse—facilitating botnets (BadBox2.0, Aisuru, Kimwolf), access to victim SaaS and on‑prem systems, and obfuscation by over 550 tracked threat groups within a single week.
- The command-and-control model is two-tier: Tier One domains deliver Tier Two IP addresses; Tier Two IP:port pairs poll for proxy tasks and send connection IDs to start proxying traffic.
- GTIG’s actions reduced IPIDEA’s available device pool by millions and Google Play Protect now warns, removes, and blocks apps known to incorporate IPIDEA SDKs on certified Android devices.
- Analysis revealed significant overlaps across SDKs’ C2 infrastructure and a shared pool of ~7,400 Tier Two servers, indicating shared backend, reseller agreements, and cross-brand relationships among proxy providers.
MITRE Techniques
- [T1195 ] Supply Chain Compromise – IPIDEA distributed SDKs that developers embed in legitimate apps to enroll devices as proxy exit nodes (‘These SDKs… are meant to be embedded into existing applications… Once developers incorporate these SDKs into their app, they are then paid by IPIDEA usually on a per-download basis.’)
- [T1204 ] User Execution – Users unknowingly install trojanized applications that include proxy SDKs and join their devices to the proxy network (‘users unknowingly download trojanized applications with embedded proxy code.’)
- [T1090 ] Proxy – Compromised consumer devices are used as residential proxy exit nodes to route attacker traffic and mask origin IPs (‘When the device is joined to the proxy network, the proxy provider sells access to the infected device’s network bandwidth (and use of its IP address) to their customers.’)
- [T1071 ] Application Layer Protocol – C2 and tasking use HTTP GET/POST and encoded JSON over TCP for device diagnostics and proxy tasking (‘The device diagnostic information can be sent as HTTP GET query string parameters or in the HTTP POST body’)
Indicators of Compromise
- [Domain ] C2, SDK, and marketing domains used by IPIDEA and related proxy brands – packetsdk.io, ipidea.io, and dozens more domains (e.g., 31d58c226fc5a0aa976e13ca9ecebcc8.com, v46wd6uramzkmeeo.in)
- [IP Address ] Tier Two proxy/C2 nodes observed in analysis and sample responses – 49.51.68.143, 45.78.214.188
- [File Hash ] Examples of malicious/trojanized binaries and SDK packages – aef34f14456358db91840c416e55acc7d10185ff2beb362ea24697d7cdad321f (DLL, Packet SDK package), b0726bdd53083968870d0b147b72dad422d6d04f27cd52a7891d038ee83aef5b (APK with Packet SDK), and 3,073 other Windows PE/APK hashes referenced in the report
- [Certificate Signer ] Code signing identities observed in samples used by proxy/SDK binaries – HONGKONG LINGYUN MDT INFOTECH LIMITED; FIRENET LIMITED
- [File Name / Type ] Known proxy/monetization clients and trojanized apps – Radish VPN Client (EXE, SHA-256 59cbdecfc01eba859d12fbeb48f96fe3fe841ac1aafa6bd38eff92f0dcfd4554), ABC S5 Proxy Client (EXE, SHA-256 ba9b1f4cc2c7f4aeda7a1280bbc901671f4ec3edaa17f1db676e17651e9bff5f), plus multiple APK/DLL/EXE samples