More than nine million Android phones around the world were quietly hijacked and used to power what investigators describe as the world’s largest residential proxy network, Google has revealed.
The operation, run by a Chinese-linked group known as IPIDEA, turned ordinary devices into unwitting tools for hackers by routing suspicious and often malicious internet traffic through people’s home connections without their knowledge.
To users, the apps looked harmless – simple games, utilities and productivity tools. Behind the scenes, however, the software transformed phones into so-called ‘exit nodes’, masking the true location of criminals online.
According to Google’s Threat Intelligence Group, IPIDEA slipped its software development kits into more than 600 Android apps, marketing them to developers as legitimate ways to earn money.
There were no obvious red flags or traditional malware warnings, making the scheme difficult for users to detect. Once installed, the apps effectively handed over bandwidth and access, allowing cyber gangs to hide behind real residential IP addresses.
Devices based in the US, Canada and Europe were particularly valuable because their home internet addresses appeared more trustworthy.
Google said it has now dismantled much of the network in a coordinated crackdown with Cloudflare, cybersecurity firms and federal courts, seizing dozens of command-and-control domains and severing the system’s backbone.
Millions of affected devices have been removed from the network, and Google Play Protect has been updated to detect and block apps carrying the malicious code.
However, the threat has not fully disappeared. Experts warn that phones installing apps from unofficial or sideloaded sources remain exposed.