In January 2026, Google's Threat Intelligence Group shut down IPIDEA, a residential proxy network that had quietly enrolled 9 million Android devices into a botnet. Apps looked completely normal on the surface. Free VPN utilities, casual games, flashlight tools - all functioning exactly as advertised. But underneath, embedded SDKs turned every phone into a proxy exit node, routing traffic from over 550 threat groups (including state-sponsored actors from China, Russia, Iran, and North Korea) through real people's home IP addresses.
Quick Summary TLDR
Quick Summary TLDR
- 1Google disrupted IPIDEA in January 2026, exposing how free VPN apps secretly hijacked 9 million Android devices as proxy exit nodes for 550+ threat groups.
- 2Free VPNs monetize through data harvesting, bandwidth resale, and ad injection - infrastructure isn't free, so users pay with their device and data instead.
- 3The residential proxy supply chain is deliberately opaque: many 'clean' residential IPs trace back to compromised consumer devices whose owners never consented.
- 4Carrier-grade mobile proxies from dedicated SIM hardware sidestep this entire problem - no consumer devices, no SDK embedding, no hijacked bandwidth.
- 5Detect compromise by auditing per-app background data, monitoring outbound connections with PCAPdroid, and checking for excessive permissions in VPN apps.
This wasn't some isolated incident either. Hola VPN got caught doing the same thing back in 2015. PROXYLIB infected 28 Google Play apps in 2023. Urban VPN was exposed in 2025 for harvesting users' AI prompts and selling them to ad brokers. Every year the same pattern, and free VPN risks just keep compounding.
If a VPN or proxy service costs nothing, the product is almost certainly your device.
How Free VPNs Actually Make Money
Running VPN infrastructure costs real money. Bandwidth, servers, peering agreements, maintenance. A mid-tier VPN provider serving 500,000 users burns through millions annually in infrastructure costs alone, so how free VPNs make money without charging users comes down to a few well-documented strategies.
Data harvesting and resale. A significant majority of free VPN providers sell browsing data to third-party advertisers and data brokers. DNS queries, session metadata, browsing history, device fingerprints - all packaged and auctioned off. Research has consistently found that most free VPNs embed at least one tracking library, with some bundling many more.
Bandwidth resale. Here's where it gets considerably worse. Some free VPNs don't just watch traffic - they sell your connection outright. Your device becomes an exit node in a residential proxy botnet, and your home IP gets rented to whoever's buying. IPIDEA built the largest known network doing exactly this, routing traffic from hundreds of threat groups through consumer devices whose owners had zero idea what was happening. Understanding how proxies function as intermediaries makes the mechanics of this exploitation clearer.
Ad injection and session manipulation. Free proxy dangers extend to direct interference with browsing sessions too. Some apps inject affiliate cookies, redirect search queries, or swap out ad placements on pages users visit. Urban VPN took it further by intercepting AI chatbot prompts and selling conversational data to advertising firms, which is a whole different level of invasive.
Inside the Technical Mechanics: SDK Embedding and C2 Infrastructure
Understanding the free VPN hidden costs means looking at how these apps actually operate under the hood.
IPIDEA followed a pattern that's become standard in the residential proxy botnet ecosystem. Developers - sometimes knowingly, sometimes not - integrate a third-party SDK into their app. On installation, the app requests standard Android permissions: network access, background execution, maybe location. Nothing that triggers a red flag during Google Play's review process, which is part of what makes this so tricky to catch at scale.
Once installed, the SDK phones home to a command-and-control (C2) server and registers the device's IP, carrier, geolocation, and available bandwidth. From that point on, the device is an active exit node. Traffic from paying proxy customers gets routed through the phone's connection, exits through the user's residential or mobile IP, and reaches whatever destination the customer targets.
Worth noting how the C2 infrastructure itself is set up. IPIDEA operated roughly 7,400 Tier Two command-and-control servers, which made takedown coordination extremely difficult. Traffic between the proxy buyer and the relay gets encrypted, but exit traffic - the part leaving the victim's device - often runs unencrypted. So the device owner's ISP sees requests they never made, and the destination server sees a "clean" residential IP.
Typical SDK enrollment flow:
1. App installed > SDK initializes in background
2. SDK sends device fingerprint to C2: {IP, carrier, IMEI hash, GPS, bandwidth}
3. C2 assigns device to proxy pool (residential/mobile)
4. Proxy buyer connects > traffic routed: Buyer > Relay > C2 > Victim Device > Target
5. Target sees victim's residential/mobile IP as request origin
6. Device owner sees: increased data usage, battery drain, occasional latency spikesSome of these SDKs are sophisticated enough to throttle usage during active screen time and ramp up proxy traffic when the device is idle or charging. Makes detection much harder for the average user.
How to Tell if a VPN Is Selling Data (or Bandwidth)
Spotting compromise isn't always straightforward. But there are concrete signals worth checking.
Unusual data consumption. If a device consistently uses significantly more data per month than expected, especially on cellular, something's routing traffic through it. Per-app data usage in Android settings is the first place to look. Any app consuming significant background data without a clear reason deserves scrutiny.
Battery drain patterns. Proxy SDKs keep network connections alive continuously, so a free VPN app draining substantial battery daily while "idle" is a strong indicator. Normal VPN apps in standby shouldn't cause significant drain.
DNS and connection auditing. Tools like NetGuard or PCAPdroid can log outbound connections on Android without root. Run a capture for 24 hours with the suspected app installed - if there are connections to IP ranges associated with known proxy infrastructure, or dozens of unique destination IPs nobody on the device actually visited, that's a problem.
Permission creep. Free VPN apps requesting access to location, contacts, SMS, or device identifiers have no legitimate reason to do so. A VPN needs network access and maybe notification permissions. Anything beyond that is a data collection vector.
The most reliable signal, honestly, is just the business model. No subscription, no ads, no clear revenue source? Economics don't lie. Something is being sold, and it's either data, bandwidth, or both. The EFF's privacy protection guidance covers additional signals worth knowing for ongoing device hygiene.
Residential Proxy Supply Chain: Where Do Those IPs Come From?
Nobody in the proxy industry talks about this part openly, and that's kind of the whole problem.
IPIDEA's takedown exposed an uncomfortable truth: a significant portion of "residential proxy" inventory available from commercial providers originates from compromised devices. Someone installs a free flashlight app in Jakarta or a free VPN in Sao Paulo, and their IP gets funneled into a pool that's resold through multiple layers of aggregators. No consent involved. No disclosure. This is a pattern that IP intelligence providers like MaxMind have documented when analyzing how privacy networks affect IP classification and risk scoring.
"IPIDEA sold access to 9 million hijacked device IPs to 550+ threat groups. The devices' owners never consented. That's the supply chain behind many 'residential proxy' services."
Even providers who claim ethical sourcing often can't actually verify it. They purchase IP pools from upstream aggregators who purchase from SDK operators who embed in free apps. Chain of custody is deliberately opaque by design. Cloudflare's research on residential proxy bot detection documents how widespread this sourcing pattern is - 30-100 million IP pools are common, and a significant share trace back to consumer devices enrolled without knowledge.
This is exactly why carrier-grade mobile proxies from dedicated SIM infrastructure represent a fundamentally different model. VoidMob's mobile proxies run on real 4G/5G SIM cards in dedicated hardware, not harvested from consumer devices. Every IP is assigned by a carrier, rotates through legitimate mobile network infrastructure, and doesn't depend on anyone's unknowing participation. No SDK trickery, no botnet enrollment. For a deeper look at how these proxy types compare technically, see our breakdown of datacenter vs residential vs mobile proxies.
| Factor | Free VPN / Residential Proxy Botnet | Dedicated Mobile Proxy (VoidMob) |
|---|---|---|
| IP Source | Hijacked consumer devices | Carrier-assigned SIM hardware |
| User Consent | None (hidden SDK) | N/A - no end-user devices involved |
| IP Trust Score | Degrades over time (abuse reports) | High - clean carrier rotation |
| Data Privacy | Logs and sells user data | No KYC, no logging |
| Reliability | Unstable - devices go offline randomly | Dedicated infrastructure, consistent uptime |
| Threat Exposure | Routes state-actor traffic through your IP | Isolated from consumer networks |
For a broader look at the ethical sourcing problem across the budget proxy market, our post on why cheap residential proxies are often unethical IP traps goes into further detail.
Practical Steps to Protect Your Devices
Removing a compromised app isn't always enough because some SDKs register persistent background services that survive uninstallation. Here's what actually helps:
- Audit installed apps. Remove any free VPN or proxy app that doesn't have a transparent, verifiable privacy policy and a clear revenue model.
- Check background processes. On Android: Settings > Developer Options > Running Services. Look for unfamiliar services tied to VPN or utility apps.
- Monitor network traffic. Run PCAPdroid for 48 hours. Flag any app making connections to numerous unique IPs that weren't user-initiated.
- Factory reset if uncertain. If a device has had a suspected proxy SDK app installed for months, a clean reset is the safest path. Worth the inconvenience.
- Use paid, audited tools. For actual privacy, pick a VPN provider that publishes independent security audits and operates on a paid subscription model. Understanding what encryption actually provides helps evaluate those audit claims more critically.
Device Compromise Warning
Security research has found that a substantial share of free Android VPN apps contain malware or embedded proxy SDKs. If you have used a free VPN app for more than 30 days, audit your device's background data usage and outbound connections immediately. A factory reset may be the safest option if the app had extended background access.
FAQ
1Are all free VPNs dangerous?
Not every single one is malicious, but the statistics paint a rough picture. The majority embed tracking, sell data, or contain malware. Free VPN risks are high enough that treating any free VPN as potentially compromised is the safer default.
2How do free proxy services differ from free VPNs in terms of risk?
Free proxy dangers are similar but often worse. Proxies typically don't encrypt traffic at all, meaning browsing data is visible to the proxy operator in plaintext. Combined with bandwidth resale, that's both surveillance and device hijacking at once.
3Can Google Play Protect catch these proxy SDKs?
Sometimes. Google removed IPIDEA-linked apps after the investigation, and Play Protect now flags PROXYLIB-associated code. But detection lags behind deployment by months or years - IPIDEA operated for a long time before disruption, and new SDK variants keep appearing.
4How does VoidMob's mobile proxy approach avoid the residential botnet problem?
VoidMob uses dedicated SIM cards in carrier-grade hardware to generate mobile IPs. No consumer devices are involved, no SDKs are embedded in apps, and no one's bandwidth gets hijacked. IPs rotate through real 4G/5G networks with carrier-level trust scores.
5What's the easiest way to tell if a VPN is selling data?
Check three things: does it have a paid tier or clear ad-supported model? Has it undergone an independent audit? Does it request permissions beyond network access? If the answer to all three is no, assume that free VPN sells data in some form.
Wrapping Up
Free VPN risks aren't theoretical anymore. IPIDEA proved the residential proxy botnet model operates at massive scale - 9 million devices, over 550 threat groups, years of undetected operation. And it'll happen again with the next SDK variant that slips past app store review.
For anyone who needs proxy infrastructure, whether for scraping, verification, privacy, or market research, the sourcing question matters more than most people realize. Carrier-grade mobile proxies from providers like VoidMob, built on real SIM hardware and dedicated infrastructure, sidestep the entire compromised supply chain. No hijacked devices, no ethical ambiguity, no free VPN hidden costs passed along to unsuspecting users. If you're evaluating privacy tools more broadly, our guide on protecting your online privacy and avoiding spam covers complementary practices.
If something is free and it costs millions to run, someone is paying. It's usually the user, just not with money.
Clean Mobile IPs From Real Carrier Infrastructure
VoidMob's dedicated 4G/5G mobile proxies run on real SIM hardware - no harvested bandwidth, no compromised devices, no botnet supply chains.