TelcoNews Asia - Telecommunications news for ICT decision-makers
Asia

Guides

#
5g & beyond
#
internet of things
#
software-defined networking
#
space technologies
#
unified communications

Search

Smart home night shield blocks botnet global network takedown
#
Malware
#
Firewalls
#
Data Protection

Google disrupts IPIDEA’s global hijacked device network

Thu, 29th Jan 2026
Author image
By Mark Tarre, News Chief

Google's Threat Intelligence Group has worked with industry partners on a disruption of IPIDEA, a large malicious residential proxy network that hijacked consumer devices and sold access to that connectivity.

The company said its investigation found that IPIDEA gained illicit access to consumer hardware including smartphones, set-top boxes and desktop computers. The devices then formed a residential proxy network that routed third-party traffic through home internet connections.

Google described IPIDEA as infrastructure that masked the activity of "hundreds of attacker groups" across cybercrime, espionage, advanced persistent threats and information operations. It also said it observed usage linked to actors "from all over the world, including China, DPRK, Iran and Russia".

Disruption steps

Google said it pursued legal action to shut down infrastructure used to manage devices connected to the network. It also said it shared findings about how the technology works with other platform providers.

They also updated Google Play Protect. The company said the service now warns users automatically about apps that contain IPIDEA code.

For certified Android devices, Google said the system will remove malicious applications and block future installation attempts.

John Hultquist, GTIG's Chief Analyst, said the case showed how residential proxy networks had become embedded in a wide range of malicious activity.

"Residential proxy networks have become a pervasive tool for everything from high-end espionage to massive criminal schemes. By routing traffic through a person's home internet connection, attackers can hide in plain sight while infiltrating corporate environments. By taking down the infrastructure used to run the IPIDEA network, we have effectively pulled the rug out from under a global marketplace that was selling access to millions of hijacked consumer devices," said John Hultquist, Chief Analyst, Google.

How IPIDEA spread

Google outlined two main distribution methods that it said operators used to build the network.

In some cases, proxy operators paid app developers to hide what Google called "monetization" code inside common games and utilities. Google said that once a user downloaded the app, the device joined the proxy network without clear disclosure.

Google said the operators marketed these kits as a way for developers to monetise applications. It said the offerings covered Android, Windows, iOS and WebOS.

Google also said IPIDEA released standalone apps. It said these were marketed to people looking to make "easy cash". Google said the apps offered payment to consumers who installed the software and allowed it to use "unused bandwidth".

Underground marketing

Google said IPIDEA brands were promoted on underground forums and targeted criminal buyers who wanted harder-to-trace infrastructure for attacks. It said IPIDEA sold access to the connected devices to third parties through proxy and VPN services.

Residential proxy services have long been used for legitimate uses such as content testing and web scraping. Security teams and law enforcement have also tracked persistent abuse, which can blur detection signals when malicious traffic appears to originate from consumer connections rather than data centres or known hosting providers.

Scale and risk

Google said it identified "millions of devices" in the IPIDEA network. It described the system as a global "gray market" in hijacked bandwidth.

Defenders can struggle to fingerprint malicious traffic when it comes from a real residential internet provider. It said attackers can rotate where activity originates by switching between compromised household connections.

It also warned that compromised devices can present broader risks inside home environments. It said the software could create a back door into a home network. It said criminals could then reach other devices connected to the same Wi‑Fi, including laptops, cameras and smart home technology.

Finally, Google said it will continue to track the ecosystem around residential proxy services and take action against apps and infrastructure linked to malicious enrolment of consumer devices.

Related stories
MicroCare to unveil touchless fibre cleaning at OFC
TCL unveils Milan showcase for Milano Cortina 2026
Myriota debuts AssetHawk satellite tracker for remote assets
Telehouse Europe appoints Chris Lamb as Enterprise Director
New blueprint targets smarter Wi‑Fi in dense housing

Top stories

Netmore unveils Pulse partner push for global IoT scale
Viasat survey shows surge in industrial D2D IoT demand
StarHub taps Totogi AI to boost enterprise sales deals
Ericsson unveils 5G router to power connected fleets
Most homes never change router passwords, guide warns