Google dismantles the hijacking network of 9 million Android devices

NEWNow you can listen to News articles!

Free apps aren’t supposed to cost you anything other than storage space. But in this case, they may have cost millions of people control of their own Internet connections.

Google says it has disrupted what it believes was the world’s largest residential proxy network, one that secretly hijacked around 9 million Android devices, along with computers and smart home devices. Most people had no idea their devices were being used as the apps worked normally and nothing seemed broken.

But behind the scenes, those devices were silently routing traffic for strangers, including cybercriminals.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

PREVENT GOOGLE FROM FOLLOWING EVERY MOVEMENT OF YOUR MOVEMENT

A man stands in front of a building with a Google sign on the doors.

Google says it has disrupted a huge residential proxy network that secretly hijacked around 9 million smart and Android devices. (AaronP/Bauer-Griffin/GC Images)

How your device became part of a proxy network

According to Google’s Threat Intelligence Group, the network was linked to a company known as IPIDEA. Instead of spreading through obvious malware, it relied on hidden software development kits, or SDKs, that were embedded in more than 600 applications. These apps ranged from simple utilities to VPN tools and other free downloads. When you installed one, the app performed the advertised function. But you also enrolled your device in a residential proxy network.

That means your phone, computer, or smart device could be used as a relay point for someone else’s Internet traffic. That traffic could include crawling websites, launching automated login attempts, or masking the identity of someone conducting shady online activities. From the outside, it looked like that activity was coming from his home IP address. You wouldn’t see this happening and in many cases you wouldn’t notice any major performance issues.

Google says that in a single seven-day period earlier this year, more than 550 different threat groups were observed using IP addresses linked to this infrastructure. This includes cybercrime operations and actors linked to the State. Residential proxy networks are attractive because they make malicious traffic look like normal consumer activity. Instead of coming from a suspicious data center, it appears to be coming from someone’s living room.

What did Google do to close it

Google says it has taken legal action in a US federal court to seize domains used to control infected devices and route proxy traffic. He also worked with companies like Cloudflare and other security companies to disrupt network command and control systems. Google says it has also updated Play Protect, Android’s built-in security system, so that certified devices automatically detect and remove apps that are known to include malicious SDKs.

However, Google also warned that many of these apps were distributed outside of the official Play Store. This is important because Play Protect can only scan and block threats linked to apps installed through Google Play. Third-party app stores, unofficial downloads, and uncertified Android devices carry a much higher risk.

IPIDEA has claimed that its service was intended for legitimate commercial use, such as web research and data collection. But Google’s research suggests that criminals heavily abused the network. Even if some users knowingly installed bandwidth-sharing apps for rewards, many did not receive clear information about how their devices were being used.

Google’s research also found significant overlap between different proxy brands and SDK names. What seemed like separate services were often tied to the same infrastructure. That makes it harder for consumers to know which apps are secure and which are quietly monetizing their connection.

300,000 CHROME USERS AFFECTED BY FAKE AI EXTENSIONS

Software hidden inside more than 600 apps allegedly turned phones and computers into Internet relays for cybercriminals. (David Paul Morris/Bloomberg via Getty Images)

7 ways you can protect yourself from Android proxy attacks

If millions of devices can silently become Internet relay points, the big question is: how can you make sure yours isn’t one of them? These steps reduce the risk of your phone, TV Box or smart device being dragged into a proxy network without you realizing it.

1) Stick to official app stores

Only download apps from the Google Play Store or other trusted app markets. Some apps hide small pieces of code that can secretly use your Internet connection. These are often spread through third-party app stores or direct app files called “APKs”, which are Android app files that are installed manually instead of through the Play Store. When you download apps this way, you bypass Google’s built-in security controls. Sticking to official stores helps keep those hidden threats off your device.

2) Avoid “make money by sharing bandwidth” apps

If an app promises rewards for sharing your unused internet bandwidth, that’s a major red flag. In many cases, this is exactly how residential proxy networks recruit devices. Even if it sounds legitimate, you are actually renting your IP address. That can expose you to abuse, blacklisting, or deeper network vulnerabilities.

3) Carefully review the app permissions

Before installing any app, check what permissions it requests. A simple wallpaper app should not need full network control or background running privileges. After installation, go to your phone’s settings and audit which apps have constant Internet access, background activity rights, or special device permissions.

4) Install powerful antivirus software

Today’s mobile security tools can detect suspicious app behavior, unusual Internet activity, and hidden background services. Powerful antivirus software adds an extra layer of protection beyond what’s built into your device, especially if you’ve installed apps in the past that you’re unsure of. Get my picks for the best antivirus protection winners of 2026 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.

5) Keep your devices up to date

Android security updates fix vulnerabilities that proxy operators can exploit. If you’re using an old phone, tablet, or Android TV Box that no longer receives updates, it may be time to update it. Unpatched devices are easier targets for hidden SDK abuse and botnet enrollment.

6) Use a secure password manager

If your device ever becomes part of a proxy network or is otherwise compromised, attackers often try to access your accounts next. That’s why you should never reuse passwords. A password manager generates long, unique passwords for each account and stores them securely, so a breach doesn’t unlock your email, banking, or social media. Many password managers also include breach monitoring tools that alert you if your credentials appear in leaked databases, giving you the opportunity to act before real damage is done. Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.

7) Delete apps you don’t fully trust

Review your installed apps and remove or uninstall anything You don’t recognize it or you haven’t used it in months. The fewer apps running on your device, the fewer opportunities there are for hidden SDKs to work. If you suspect your device has been compromised, consider performing a hard reset and reinstalling only essential apps from trusted sources.

MALWARE FOR ANDROID HIDDEN IN A FAKE ANTI-VIRUS APP

A person uses a laptop with a Google search tab open on the screen.

Threat groups and state-linked actors allegedly used compromised devices to mask online activity and automate attacks. (Photo Illustration by Serene Lee/SOPA Images/LightRocket via Getty Images)

Kurt’s Key Takeaway

Residential proxy networks operate in a gray area that seems harmless on paper, but can quickly become a shield for cybercrime. In this case, millions of everyday devices were silently enrolled in a system that attackers used to hide their tracks. Google’s downfall is an important move, but the broader residential proxy server market continues to grow. That means you have to be careful about what you install and what permissions you grant. Free apps are rarely truly free. Sometimes the product being sold is you and your Internet connection.

Have you ever installed an app that promised rewards for sharing bandwidth or used a free VPN without a second thought? Let us know your opinion by writing to us at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE News APP

Prevent Google from following your every move

Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and devices that improve lives with his contributions to News and News Business since mornings on “News & Friends.” Do you have any technical questions? Get Kurt’s free CyberGuy newsletter, share your voice, a story idea or comment on CyberGuy.com.

Breaking News

LSU star Flaujae Johnson leads Bearded Dragon to final NCAA tournament of college career

Eagles acquire veteran quarterback Andy Dalton from Panthers with backup role in sight

Former NFL running back Boston Scott quits at 30, reveals feelings of ‘anger and bitterness’

NBA All-Star Blasts March Madness Fans for Bracketing Too Much: ‘It’s So Boring’

Hockey Hall of Fame Gives Jack Hughes Bad News About Olympic Gold Record Application

Costa Rica closes its embassy in Cuba and orders diplomats to leave

Stop Ozempic? New Study Reveals Surprising Weight Recovery Results After GLP-1

Defying AIPAC, Daniel Biss Wins Closely-Close Illinois House Primary

Trump Floats Wild Statehood Idea For Yet Another Country After Baseball Game

Team USA stars rip silver medals from necks after World Baseball Classic final loss to Venezuela