IPIDEA trojanized Android apps and Windows binaries enrolling devices into a proxy network
Malware Activity
Summary
Hide ▲
Show ▼
The IPIDEA proxy network used trojanized Android apps and Windows binaries to enroll consumer devices as proxy exit nodes, creating a large-scale traffic-routing threat. The distribution reached at least 600 Android apps and over 3,000 Windows binaries, spanning Android and Windows. The activity mattered because routed traffic could hide account takeovers, credential theft, and other malicious operations while blending into legitimate-looking VPN and proxy tools.
Related Happenings
Android Intrusion Logging forensic logging rollout for spyware investigations
Security Tool/Service
First: 13.05.2026 09:55
Last: 13.05.2026 09:55
Sources 1
About this happening:
**Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...
Android Intrusion Logging forensic logging rollout for spyware investigations
Security Tool/ServiceAbout this happening: **Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...
Android 17 expands platform security and privacy protections
Security Tool/Service
First: 12.05.2026 20:00
Last: 12.05.2026 20:00
Sources 1
About this happening:
**Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Android 17 expands platform security and privacy protections
Security Tool/ServiceAbout this happening: **Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
TrickMo Android banking trojan variant with TON C2 and network pivots
Malware Activity
First: 12.05.2026 15:50
Last: 12.05.2026 15:50
Sources 1
About this happening:
A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...
TrickMo Android banking trojan variant with TON C2 and network pivots
Malware ActivityAbout this happening: A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...
CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific
Campaign
First: 08.05.2026 18:08
Last: 08.05.2026 18:08
Sources 1
About this happening:
The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...
CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific
CampaignAbout this happening: The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...
Sqgame[.]net gaming platform hit by network compromise
Incident
First: 05.05.2026 18:00
Last: 05.05.2026 18:00
Sources 1
About this happening:
The **sqgame[.]net** gaming platform was **compromised**, and its **Windows** and **Android** software were **trojanized** to deliver malicious code to users, putting a regional e...
Sqgame[.]net gaming platform hit by network compromise
IncidentAbout this happening: The **sqgame[.]net** gaming platform was **compromised**, and its **Windows** and **Android** software were **trojanized** to deliver malicious code to users, putting a regional e...
Timeline
-
29.01.2026 21:29 2 articles · 3mo ago
GTIG disrupts IPIDEA proxy network and discloses SDK findings
Initial DisclosureGoogle Threat Intelligence Group (GTIG) and industry partners disrupted IPIDEA by taking down domains tied to IPIDEA services, infected device management, and proxy traffic routing, while sharing intelligence on the IPIDEA software development kits (SDK) used to distribute the proxying tool. Google said IPIDEA operated a large residential proxy network with 6.7 million users worldwide, enrolled devices through at least 600 trojanized Android apps carrying Packet SDK, Castar SDK, Hex SDK, and Earn SDK, and through over 3,000 trojanized Windows binaries posing as OneDriveSync or Windows Update; Google Play Protect now automatically detects and blocks related apps on up-to-date, certified Android devices.
Show sources
- Google disrupts IPIDEA residential proxy networks fueled by malware — www.bleepingcomputer.com — 29.01.2026 21:29
- Google disrupts IPIDEA residential proxy networks fueled by malware — www.bleepingcomputer.com — 29.01.2026 21:29