9 million Android phones were secretly hijacked by proxy network
Google recently announced in a statement that it has disrupted the “world’s largest residential proxy network.” It was able to remain undetected for a long time, hijacking innocent users’ private devices (including smartphones, PCs, and smart home devices) and using them as gateways for distributing data.
The company explains that a Chinese company called IPIDEA was behind it and, with the help of a US federal court order, Google was able to shut down several websites and backend systems, thereby preventing the network from continuing to operate.
In short, a proxy server is like a relay that forwards requests and caches data. For example, suppose an attacker wants to launch a DDoS attack. Instead of attacking with their own traceable devices, the attacker could relay the attacks through a proxy network comprised of smartphones and devices owned by others, thus concealing their own identity.
According to Google, millions of devices belonged to IPIDEA’s proxy network, including at least 9 million Android smartphones.
How users end up in the proxy network
Most users ended up in IPIDEA’s network by installing free apps, games, and desktop software that contained hidden code snippets (known as SDKs) that aren’t recognized as malicious because they don’t restrict the use of the device. They do, however, allow access by third parties.
IPIDEA can therefore use these SDKs to turn an affected device into an exit node for its proxy network. They were then able to forward and conceal data unnoticed through the users’ IP addresses.
According to Google, Google Play Protect (the Play Store’s internal threat scanner) can reliably detect and block IPIDEA SDKs. However, apps from third-party stores or other unsecured sources aren’t so safe. We’re talking about “over 600 applications across multiple download sources … that enabled IPIDEA proxy behavior.”
Is there still a risk?
Google emphasizes that shutting down IPIDEA’s network would prevent millions of devices from continuing to be misused as proxies. IPIDEA, on the other hand, told the Wall Street Journal that its services were intended solely for “legitimate business purposes.” The company did not respond to the court order to shut down its network.
However, IPIDEA admits that other criminal actors have been able to abuse the network. In 2025, attackers managed to exploit a vulnerability in the network and hijack millions of devices. These were added to a botnet called “Kimwolf,” which was linked to various DDoS attacks.
For Android users, it’s particularly important that you never install applications from unknown, unsecure sources. Even apps from seemingly legitimate stores can introduce Trojans. For additional protection, you might want to install an antivirus app on your Android device.