Google dismantles a massive Chinese proxy botnet that hijacked 9 million Android phones through 600 apps, turning devices into tools for cybercrime.
Google has dismantled what is being described as the world’s largest residential proxy network after uncovering a China-based operation that silently compromised more than nine million Android smartphones. The network, known as IPIDEA, infected devices through over 600 Android applications, converting unsuspecting users’ phones into proxy nodes that cybercriminals could exploit.
According to Google, the operation relied on malicious software development kits (SDKs) embedded inside seemingly legitimate apps, including free games, productivity tools, and utility applications. These SDKs were marketed to developers as simple monetization tools, but in reality they enabled attackers to route internet traffic through infected phones without users’ knowledge. This allowed threat actors to disguise malicious activity as ordinary residential traffic, making detection significantly harder.
Once installed, the compromised devices became “exit nodes” in a vast proxy botnet, facilitating activities such as botnet operations, fraud, and espionage. Google’s Threat Intelligence Group reported that more than 550 distinct threat groups leveraged IPIDEA’s infrastructure in a single week, with actors linked to countries including China, North Korea, Iran, and Russia. Devices with residential IP addresses in the United States, Canada, and Europe were particularly valuable targets.
The IPIDEA network also supported several well-known proxy and VPN brands, including 360 Proxy, 922 Proxy, and Galleon VPN. These services were frequently advertised on underground forums as “bandwidth sharing” or “passive income” apps, enticing users with promises of easy money in exchange for running background services on their phones.
To dismantle the operation, Google collaborated with Cloudflare, cybersecurity partners, and U.S. federal courts to seize dozens of command-and-control domains and disrupt the network’s infrastructure. As a result, millions of infected devices have been removed from IPIDEA’s control. Google Play Protect has also been updated to automatically detect and block apps that contain the malicious SDKs on certified Android devices.
Despite the success of the takedown, security experts warn that the broader risk remains. Apps installed from third-party sources and sideloaded outside the Google Play Store can still expose users to similar threats. The incident underscores how easily everyday apps can be weaponized and highlights the importance of downloading software only from trusted sources, reviewing app permissions carefully, and avoiding offers that seem too good to be true.
For Android users, the message is clear: staying within official app ecosystems and practicing basic cybersecurity hygiene remains one of the most effective defenses against large-scale mobile threats.
Read more 10 Best EOR Platforms Shaping Global Employment in 2026
