Google has successfully dismantled a vast residential proxy network, dubbed 'Goldoson,' that secretly compromised approximately 9 million Android devices, along with other internet-connected gadgets. This sophisticated operation, disguised within seemingly legitimate free applications, turned unsuspecting users' devices into unwitting relays for malicious internet traffic, including cybercriminal activities.

Key Takeaways

• A massive residential proxy network, 'Goldoson,' has been dismantled by Google.

• Approximately 9 million Android devices were compromised.

• The network operated by embedding malicious SDKs into over 600 free apps.

• Compromised devices were used to route traffic for cybercriminals, masking their activities.

• Google took legal action and updated its Play Protect system to combat the threat.

How the Network Operated

According to Google's Threat Intelligence Group, the 'Goldoson' network was linked to a company named IPIDEA. Instead of relying on overt malware, the network utilized hidden software development kits (SDKs) embedded within more than 600 applications. These apps, ranging from simple utilities to VPN tools, performed their advertised functions while simultaneously enrolling the user's device into the proxy network. This allowed the devices to act as relay points for third-party internet traffic, which could include website scraping, automated login attempts, or masking the identity of individuals engaged in illicit online activities. The traffic would appear to originate from the user's home IP address, making it difficult to detect.

Google's Response and Mitigation Efforts

Google took decisive action to disrupt the network. This included pursuing legal action in a U.S. federal court to seize domains used for controlling the infected devices and routing traffic. The company also collaborated with security firms like Cloudflare to dismantle the network's command-and-control systems. Furthermore, Google updated its built-in Android security system, Play Protect, to automatically detect and remove apps containing the malicious SDKs on certified devices. However, Google cautioned that many of these compromised apps were distributed outside the official Google Play Store, making them harder for Play Protect to identify and block.

Protecting Yourself from Proxy Attacks

To safeguard devices from similar threats, users are advised to follow several protective measures:

1. Stick to Official App Stores: Only download applications from trusted sources like the Google Play Store to avoid apps with hidden malicious code.

2. Avoid "Earn Money by Sharing Bandwidth" Apps: Be wary of apps that promise rewards for sharing internet bandwidth, as this is a common recruitment method for proxy networks.

3. Review App Permissions Carefully: Scrutinize the permissions requested by apps before installation and audit existing app permissions in your device settings.

4. Install Strong Antivirus Software: Employ reputable mobile security tools to detect suspicious behavior and hidden background services.

5. Keep Devices Updated: Ensure your Android devices receive regular security updates to patch vulnerabilities.

6. Use a Strong Password Manager: Protect your online accounts with unique, strong passwords managed securely to prevent credential stuffing in case of a breach.

7. Remove Untrusted Apps: Regularly uninstall applications that are not recognized or have not been used recently to minimize potential attack vectors.

Google's takedown of the 'Goldoson' network highlights the evolving landscape of cyber threats, where seemingly harmless free applications can be exploited for malicious purposes. Users must remain vigilant about app installations and permissions to protect their digital privacy and security.

Sources

• Free Android Apps Hijacked Millions Into Proxy Network, Fox News.