IPIDEA trojanized Android apps and Windows binaries enrolling devices into a proxy network
Malware Activity
Summary
Hide ▲
Show ▼
The IPIDEA proxy network used trojanized Android apps and Windows binaries to enroll consumer devices as proxy exit nodes, creating a large-scale traffic-routing threat. The distribution reached at least 600 Android apps and over 3,000 Windows binaries, spanning Android and Windows. The activity mattered because routed traffic could hide account takeovers, credential theft, and other malicious operations while blending into legitimate-looking VPN and proxy tools.
Related Happenings
UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure
Threat Actor Meta
H score29
First: 08.07.2026 17:30
Last: 08.07.2026 17:30
Sources 1
About this happening:
**UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...
UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure
Threat Actor MetaAbout this happening: **UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...
Google Play Protect adds warnings and app disabling for compromised SDK abuse
Security Tool/Service
H score11
First: 03.07.2026 12:35
Last: 03.07.2026 12:35
Sources 1
About this happening:
**Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...
Google Play Protect adds warnings and app disabling for compromised SDK abuse
Security Tool/ServiceAbout this happening: **Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...
Popa botnet forcing consumer TV boxes to relay traffic
Malware Activity
H score76
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Popa botnet forcing consumer TV boxes to relay traffic
Malware ActivityAbout this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Latest development: 03.07.2026 12:35
Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.
Vo1d botnet campaign targeting unofficial Android-based TV boxes
Campaign
H score88
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Vo1d botnet campaign targeting unofficial Android-based TV boxes
CampaignAbout this happening: **NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Latest development: 03.07.2026 12:35
Google disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing the compromised SDKs. The FBI’s seizure banner appeared on netnut.com while netnut.io briefly remained accessible, and Google said the coordinated actions caused significant degradation to NetNut’s proxy network and business operations.
Android Intrusion Logging forensic logging rollout for spyware investigations
Security Tool/Service
H score11
First: 13.05.2026 09:55
Last: 13.05.2026 09:55
Sources 1
About this happening:
**Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...
Android Intrusion Logging forensic logging rollout for spyware investigations
Security Tool/ServiceAbout this happening: **Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...
Timeline
-
29.01.2026 21:29 2 articles · 5mo ago
GTIG disrupts IPIDEA proxy network and discloses SDK findings
Initial DisclosureGoogle Threat Intelligence Group (GTIG) and industry partners disrupted IPIDEA by taking down domains tied to IPIDEA services, infected device management, and proxy traffic routing, while sharing intelligence on the IPIDEA software development kits (SDK) used to distribute the proxying tool. Google said IPIDEA operated a large residential proxy network with 6.7 million users worldwide, enrolled devices through at least 600 trojanized Android apps carrying Packet SDK, Castar SDK, Hex SDK, and Earn SDK, and through over 3,000 trojanized Windows binaries posing as OneDriveSync or Windows Update; Google Play Protect now automatically detects and blocks related apps on up-to-date, certified Android devices.
Show sources
- Google disrupts IPIDEA residential proxy networks fueled by malware — www.bleepingcomputer.com — 29.01.2026 21:29
- Google disrupts IPIDEA residential proxy networks fueled by malware — www.bleepingcomputer.com — 29.01.2026 21:29