Google used a federal court order on Wednesday to demolish what it described as one of the largest home proxy networks in the world, seizing dozens of domains belonging to the Chinese firm IPIDEA and severing millions of devices from its infrastructure.
The joint effort, lead by Google’s Threat Intelligence Group, attacked a network that cybersecurity researchers believe stealthily installed malicious software on cellphones, desktops, and Android devices worldwide. Over nine million Android devices are anticipated to be disconnected from IPIDEA’s network as a result of the operation.
The Operation’s Scope
IPIDEA maintained at least 13 residential proxy brands that have already been taken offline, according to Google. The company’s study discovered over 600 Android applications and more than 3,000 unique Windows files tied to IPIDEA’s command-and-control system. To avoid detection, several of these files disguised themselves as trustworthy programs like Windows Update and OneDrive Sync.
Malicious activity can appear to come from regular home users thanks to residential proxy networks, which route internet data through hijacked consumer devices. In a single week in January, Google’s threat intelligence team detected more than 550 monitored threat organizations utilizing IPIDEA’s infrastructure, including state-sponsored actors from China, North Korea, Iran, and Russia. “According to several publications, “residential proxy networks have become a ubiquitous tool for everything from high-end espionage to massive criminal schemes,” stated John Hultquist, top analyst with Google’s Threat Intelligence Group. “It’s a consumer concern and it’s a national-security issue at the same time. Some of the biggest dangers to our nation are made possible by it.
Chinese Firm Responds
Google filed a lawsuit against anonymous operators of a botnet that involved over 10 million internet-connected devices that were purportedly pre-installed with home proxy software in July 2025. This action is a continuation of that lawsuit. Google detected linkages between that network and IPIDEA, prompting the enlarged legal action.
Before the takedown, an IPIDEA representative stated in an email to The Wall Street Journal that the company and its partners had engaged in “relatively aggressive market expansion strategies” and “conducted promotional activities in inappropriate venues (e.g., hacker forums).” She stated the corporation has now improved its business procedures.
Google has updated Google Play Protect, Android’s built-in security mechanism, to immediately notify users about apps containing IPIDEA code and remove harmful applications from approved devices. To plan the disruption, the company collaborated with Cloudflare and other businesses in the sector.