Portuguese 
English 
Spanish 
6 min of reading 
0 comments 
A Disassembly Announced By Google Exposed How Common Apps Can Incorporate Libraries That Transform Android Phones Into Traffic Outlets, With Global Impact And Focus On Residential Proxy, Mobile Security And Data Use.
Google announced it has taken down part of the infrastructure of a residential proxy network linked to the Chinese company IPIDEA and stated that the operation significantly reduced the availability of devices used as “bridges” for third-party traffic.
According to the company, the action combined technical measures and court orders to take down domains and services associated with controlling the network while simultaneously strengthening protections in the Android ecosystem.
In a technical statement, the company said that the operation of the scheme did not rely on a classic infection, such as those associated with viruses that freeze the phone or display ads.
-
The Himalayas continue to grow to this day, with tectonic plates advancing 5 cm per year, mountains rising up to 10 mm annually, and the 2015 earthquake that killed 9,000 people may have increased the risk of an even larger seismic mega-event.
-
At an altitude of 400 km by astronauts from the International Space Station, Paris transforms at night into a golden mesh so precise that it reveals the outline of the Seine River, avenues, and entire neighborhoods like a luminous map drawn over the Earth.
-
iPhone 17 reaches historic low price with 256 GB, 120 Hz display, and drops to R$ 5,703 on Shopee, featuring A19 chip, dual 48 MP cameras, battery life of up to 30 hours, and advanced AI features.
-
Trip to Mars getting closer: Pulsar Fusion, from the UK, advances with plasma ignition in fusion engine and could drastically reduce space travel time, making crewed missions faster, safer, and economically viable.
Instead, the network spread through libraries embedded in applications, often installed as simple games and utility tools.
This way, the device could act as an exit point, allowing residential connections to be used by others without the owner’s awareness.
Residential Proxy Network And The Role Of SDKs In Applications
According to Google, the network relied on software development kits, the so-called SDKs, offered for integration in applications.
When this type of library was included in an app, the device began to communicate with a proxy infrastructure and could share part of the user’s connection with service clients, as described by researchers.
In practice, this creates an intermediary layer: third-party traffic exits to the internet using the residential IP address of the phone owner.
The result, according to security analysts studying residential proxy networks, is that the real origin of certain requests may be less evident to systems trying to track who initiated an online action.
Google also stated that this type of structure tends to hinder investigations, precisely because it mixes consumer traffic with requests originating outside the home network.
Furthermore, the company indicated that the use of residential addresses may interest different client profiles, including for purposes that are not necessarily illicit, such as performance testing and content verification by region.
The central point, however, is the lack of transparency when the user is not clear that their connection is being shared or how this occurs.
Background Traffic And Why Detection Is Difficult
One of the reasons cited by Google for delayed detection is that the behavior did not fit the more common pattern of malware.
Instead of exploiting obvious flaws or requiring flashy permissions, the operation could remain in the background, as part of the app’s process.
In many cases, the user did not see direct signs on the screen indicating that the device was being used as a relay.
The alerts, according to researchers, appeared in large-scale traffic analyses.
The team claimed to have noticed unusual patterns related to volumes and data routes exiting from residential IP addresses.
From this mapping, Google said it identified domains, brands, and libraries associated with the IPIDEA ecosystem and, as a result, gathered evidence to block the operation and share indicators with partners.
Another highlighted point was the distributed nature of the system.
As the “nodes” were spread across devices worldwide, the traffic did not rely on a small set of servers.
This characteristic, according to cybersecurity experts, makes networks of this type more resilient and may require coordinated actions to reduce the reach.
More Than 600 Apps And The Scale In Millions Of Android Devices
In the announcement about the disassembly, Google reported identifying more than 600 Android applications associated with libraries linked to IPIDEA.
The company also reported finding components and files related to the same ecosystem in a Windows environment, connected to the infrastructure used to coordinate the network.
According to the company’s estimate, the action affected a base of more than 9 million Android devices that could be used as exit points.
Google did not state that all these devices were active at the same time but maintained that the total volume associated with the ecosystem was enough to characterize a large-scale operation.
Play Protect, Alternative Stores And The Risk Of Installation Via APK
In addition to legal actions against the infrastructure, Google stated it has enhanced protections for Play Protect, the security tool that scans applications and libraries on Android.
According to the company, the system began to identify and block components associated with the described ecosystem, as well as prevent recognized new installations of these libraries on compatible devices.
Nevertheless, the company emphasized that the scenario changes when the user installs applications from outside official channels.
By resorting to alternative stores or APK files obtained from third parties, the person may be missing parts of verification and alert layers, which tends to increase exposure to libraries that have not gone through the same level of scrutiny.
Security researchers often recommend, in these cases, heightened attention to the origin of the app and the device’s behavior after installation, such as abnormal data consumption and background activity.
However, Google itself acknowledged that, in such networks, signs can be subtle.
Therefore, the company stated that strengthening blocks in the ecosystem aims to reduce the reach of known libraries and limit the reuse of the infrastructure.
Botnets, Abuse Of Infrastructure And Impacts For The User
Google also linked residential proxy networks to logistical support for malicious operations, mentioning botnets and uses associated with infrastructure abuse.
In the technical text, the company cited botnets such as Aisuru and Kimwolf as examples linked to the analyzed ecosystem, describing how libraries and services can be repurposed for illicit purposes when controlled by third parties.
Security experts point out that when the device becomes a traffic outlet, the user’s IP address may appear as the origin of requests that were not made by them.
This can lead to blocks on sites and services or alerts in anti-fraud systems, depending on the type of activity that traversed the connection.
Furthermore, according to industry analyses, there are also risks of expanding the attack surface on the home network when the device starts forwarding unsolicited traffic.
Free Apps, Transparency And The “Gray Area” Of Mobile Security
The episode reinforces an ongoing debate about transparency in free applications that rely on monetization via third parties.
In mobile environments, external libraries can perform various functions, from metrics to advertising and network services.
The problem, according to researchers, arises when users are not clearly informed about what is being collected, shared, or routed, and what the practical consequences of that are.
For this reason, experts often warn that downloading applications outside official sources increases the chance of installing modified versions or additional components that are not clearly visible to the user.
In a scenario where SDKs can operate in the background, the difficulty of distinguishing a legitimate app from an app embedded with network libraries tends to grow.
-
Uma pessoa reagiu a isso.