On Wednesday, January 28th, Google announced that it has taken action against the Chinese big data agency “Ipidea” through a US federal court order, officially removing dozens of Ipidea’s domain names from the internet. Google also removed hundreds of applications related to Ipidea from Android devices, affecting over 9 million devices.
Ipidea, a Chinese company, has been accused of operating a massive “residential proxy” network. Similar to the online version of Airbnb, Ipidea implants dangerous software on millions of smartphones, home computers, and Android devices, renting out media player bandwidth to paying customers for anonymous internet browsing, often without the device owners’ knowledge.
Google Threat Intelligence Group (GTIG) pointed out that the “residential proxy” service provided by Ipidea is often exploited by criminals and hackers, becoming a tool for criminal groups and state-sponsored hackers to cover their tracks. Reports have shown that hacker groups from China, North Korea, Iran, and Russia have used Ipidea’s proxy network.
John Hultquist, the Chief Analyst of Google Threat Intelligence Group, emphasized that this is not only a consumer issue but also a national security concern. He stated, “It is fueling some of the most serious threats to our country.”
By gaining control of these domain names belonging to Ipidea, Google has been able to shut down Ipidea’s public websites and technical backend.
An Ipidea spokesperson told The Wall Street Journal that the company was established in 2020, based in China, with hundreds of employees serving its proxy network across 220 countries and covering “tens of millions of devices.”
According to Google’s investigation, a Russian-related hacker group, “Midnight Blizzard,” used the “residential proxy” service to disguise their tracks during the 2023 Microsoft breach.
What further alarms cybersecurity experts is that due to vulnerabilities in Ipidea itself, another group of hackers exploited it last fall, taking control of at least 2 million devices to establish a zombie network named “Kimwolf” and launch Distributed Denial of Service (DDoS) attacks.
Chad Seaman, a researcher from network company Akamai, described “Kimwolf” as one of the most powerful zombie networks in history, capable of launching billions of bits of junk data per second, crippling various websites.
Ipidea claims to have taken measures to prevent such network takeovers from happening again.
Google stated that Ipidea operates at least 13 residential proxy brands, including Ipidea, 922 Proxy, Py Proxy, and 360 Proxy, all of which were taken offline in Wednesday’s operation.
A robust “residential proxy” network requires control of millions of IP addresses available for customer use. IP addresses from countries like the US, Canada, and Europe are particularly sought after. To achieve this, operators of such networks need code running on consumer devices, incorporating them into the network to act as “exit nodes.”
To accomplish this, Ipidea designed various Software Development Kits (SDKs). Once developers integrate these SDKs into their apps, Ipidea pays them based on the app’s download count. Once users download games or utility software containing this code, their devices become “exit nodes” for the proxy network.
Earlier this week, before the operation to take down Ipidea, a female spokesperson from Ipidea admitted in an email to The Wall Street Journal that the company and its partners had adopted a “relatively aggressive market expansion strategy” and promoted activities in “inappropriate places, such as hacker forums.” However, she stated that the company had since improved its business model and claimed to “clearly oppose any form of illegal or abusive behavior.”
In response to this threat, Google has strengthened its protection system, “Google Play Protect,” which automatically warns and removes applications containing Ipidea-related SDKs, preventing future installations.
Google advises consumers to remain highly vigilant towards any applications claiming to “share idle bandwidth for rewards,” as such software could serve as a backdoor to home networks, allowing hackers access to private devices and internal resources within the same network.
Additionally, when purchasing internet-connected devices like smart TV boxes, consumers should ensure they have official security certifications to safeguard their privacy.