41 comments

[ 3.0 ms ] story [ 55.0 ms ] thread
> These efforts to help keep the broader digital ecosystem safe supplement the protections we have to safeguard Android users on certified devices. We ensured Google Play Protect, Android’s built-in security protection, automatically warns users and removes applications known to incorporate IPIDEA SDKs, and blocks any future install attempts.

Nice to see Google Play Protect actually serving a purpose for once.

Does it also block unwanted traffic from Google apps or does it have a particular hatred for companies that interfere with Google's business model?
I'm actually a little shocked seeing that there was a WebOS variant of the residential proxying SDK endpoint. Does that mean there might be a bit more unchecked malware lurking behind the scenes in the LG ecosystem?

Personally I'm surprised they didn't have a Samsung option.

Why would webOS App Store be any different than the iOS or Android App Store which also have monetization frameworks for bandwidth sharing.
My understanding is that routing through residential IPs is a part of the business of some VPN providers. I don't know how above board they are on this (as in notifying customers that this may happen, however buried in the usage agreement, or even allowing them to opt out).

But, my main point, is that the whole business is "on the up and up" vs some dark botnet.

Oxylabs sells proxies for scrapers, I suppose you can use the socks-proxy as a VPN, and they claim to use Honeygain.

Honeygain is a platform where people sell their residential internet connection and bandwidth to these companies for money.

For comparison Honeygain pays someone 10 cents per GB, and Oxylabs sells it for $8/GB.

> I don't know how above board they are on this

Saying you don't know something in the comments of an article that explains that thing is a bold strategy

Mullvad seems to be one of those VPN providers. [1] Though I very much doubt they would sneakily make end-users devices exit nodes. Though, as a historical side note, let's not forget Skype used to make users computers act as a relay as well during its more decentralized days.

[1] Using the website mentioned by user Rasbora https://news.ycombinator.com/item?id=46837806

The need for proxies in any legitimate context became obsolete with starlink being so widespread. Throw up a few terminals and you have about 500-2k cgnat IP addresses to do whatever you like.
We need more residential proxies, not less.

I've had enough of companies saying "you're connecting from an AWS IP address, therefore you aren't allowed in, or must buy enterprise licensing". Reddit is an example which totally blocks all data to non-residential IP's.

I want exactly the same content visible no matter who you are or where you are connecting from, and a robust network of residential proxies is a stepping stone to achieving that.

> I've had enough of companies saying "you're connecting from an AWS IP address

I run a honeypot and the amount of bot traffic coming from AWS is insane. It's like 80% before filtering, and it's 100% illegitimate.

I live in the UK and can't view a large portion of the internet without having to submit my ID to _every_ site serving anything deemed "not safe the for the children". I had a question about a new piercing and couldn't get info on it from Reddit because of that. I try using a VPN and they're blocked too. Luckily, I work at a copmany selling proxies so I've got free proxies whenever I want, but I shouldn't _need_ to use them.

I find it funny that companies like Reddit, who make their money entirely from content produced by users for free (which is also often sourced from other parts of the internet without permission), are so against their site being scraped that they have to objectively ruin the site for everyone using it. See the API changes and killing off of third party apps.

Obviously, it's mostly for advertising purposes, but they love to talk about the load scraping puts on their site, even suing AI companies and SerpApi for it. If it's truly that bad, just offer a free API for the scrapers to use - or even an API that works out just slightly cheaper than using proxies...

My ideal internet would look something like that, all content free and accessible to everyone.

This blog post from the company that used promise "don't be evil", one that steals water for data centers from vilages and towns via shady deals, whose whole premise it stealing other people's stuff and claiming it as their own and locking them out and selling their data.. Who made them the arbiter of the internet? No one!!!

They just stole this and get on their high horse to tell people how to use internet? You can eff right off Google.

I'm reading reddit.com from a Tor node, they also have a .onion domain you could use.
There's a company that pays you to keep their box connected to your residential router. I assume it sells residential proxy services, maybe also DDoS services, I don't know. It's aptly named Absurd Computing.
The end game of that is no useful content being accessible without login, or needing some sort of other proof-of-legitimacy.
All of this sounds legal, so on what basis did they get them shut down?
so that only google and anthropic are allowed to scrape the web. No one else may have workarounds
Exactly. This is just google building a "moat" around their shady business.
Anyone could scrape the net, then modern scrapes came along with their shitty code and absolutely no respect. The reason why so many of us block or throttle scrapers is because they miss behave. They don't back off, they try to by-pass caches and if they crash a site they don't adjust, they will just pound it the ground again when it's back. We managed to talk to one large AI company would didn't really want to fix anything, but told us that they'd be fine with us just rate limiting them, as if we somehow owed them anything. They just get a stupid low rps now, even if we'd let them go faster, if they'd just fix they bot.

Some sites don't want you scraping, but it's their content, their rules. We don't really care, but we have to due to the number and quality of the bots we're seeing. This is in my mind a 100% self-imposed problem from the scrapers.

I'm surprised by the negative takes...

Yes, proxies are good. Ones which you pay for and which are running legitimately, with the knowledge (and compensation) of those who run them.

Malware in random apps running on your device without your knowledge is bad.

How do you stop mobile proxies operating through similar nefarious business models... CGNAT prevents you from easily identifying the exit nodes.
Why are they leaving Bright Data (aka Illuminati aka Hola VPN) untouched? They are doing this exact scheme on an industrial scale.
It’s interesting that when Luminati, an Israeli company, does this, it’s fine.

When the Chinese do this? Very bad.

I'll betcha Google uses a lot of residential proxies themselves to scrape data and don't want competitors doing it.
Residential proxies are the only way to crawl and scrape. It's ironic for this article to come from the biggest scraping company that ever existed!

If you crawl at 1Hz per crawled IP, no reasonable server would suffer from this. It's the few bad apples (impatient people who don't rate limit) who ruin the internet for both users and hosters alike. And then there's Google.

This was easy because it's a Chinese company.

The largest companies in this space that do similar this (oxylabs, brighdata,etc) have similar tactics but are based in a different location.

Thanks google for saving us. I guess this is the equivalent of rival narcos fighting each other.
I see Google is doing their best to stamp out the competition.
> attackers can mask their malicious activity by hijacking these IP addresses.

Sounds like "malicious activity" == "scraping activities that don't come from Google"

The big players are not taken out. This is sand thrown at our faces.
Google shows a samaple of the IOCs but Google Trust Services have issued a number of the SSL certs for those domains that have not been revoked (yet?).

Only looking at the:

- a8d3b9e1f5c7024d6e0b7a2c9f1d83e5.com

- af4760df2c08896a9638e26e7dd20aae.com

- cfe47df26c8eaf0a7c136b50c703e173.com

Looks like a standard MD5 hash domain pattern of which currently there are:

  user@host:/data/domains/2026/01/30$ zgrep -iE '^[a-f0-9]{32}\.com$' com.txt_domains.gz | wc -l
  3005
If you look at some of the others (not listed in Google's IOC), they tend to have a pattern with their SSL certs e.g.:

- 0e6f931862947ad58bf3d1a0c5a6f91f.com

  X509v3 Subject Alternative Name:
    DNS:0e6f931862947ad58bf3d1a0c5a6f91f.com,   DNS:effc538138d9342c547c5df42b03d81e.com, DNS:gulfclouds.site, DNS:xinchaobccgba.net
- 17e4435ad10c15887d1faea64ee7eac4.com

  X509v3 Subject Alternative Name:
    DNS:0dcbdf154c39288c91feb076795715e1.com, DNS:0e8843e8f10f20eeef59f0076e4feb83.shop, DNS:1014a1fb60e1b91404682e572ede6b4f.com, DNS:178281a79266d2faa3e578f23c8a361e.com, DNS:17e4435ad10c15887d1faea64ee7eac4.com, DNS:19f75b2642320e0606f5e38ce9fbcf17.com, DNS:1vxe.com, DNS:292893d0b31941e1c0d8eb01235be4eb.com, DNS:2b1e642f3a60130d1b2cf244891bef0d.info, DNS:354542342b7d2ddb66c97240d0c770dc.com, DNS:37d993ba8c9284bedad2a3177dfc44a6.info, DNS:3857036aaeedf670bbcca926945b50dd.com, DNS:3961f3fa3a6bacc5c4f28e81c60f4169.com, DNS:3eb4b3a3f8722b60d6ba2de7dd5f2523.org, DNS:42a17c71c0d6f2a6d7e135f8e869ab3f.com, DNS:4edd3793da3080640431430a4da57a86.org, DNS:4f5667d51451a2060067a97bcddf077f.info, DNS:5006cc38aff1ebc7d1232037fd592c60.net, DNS:54c35ec930f5b52fd9505778bb9c3f00.com, DNS:60255ec5427c2ba9a80b9c7648dd62e9.com, DNS:638d0e352728a04bb56ca102e54b8c9b.xyz, DNS:69234f9b18c0b4d572dc553dbfdb8f52.com, DNS:6934addf679d79a79f0bfc2ff090b104.com, DNS:694b64c9b41c17a229d92156d14a4ffd4.com, DNS:6eba8c4def89561e1cee02bb3c9b373d.info, DNS:7050f8c6563ff47465932e3838dc06fd.com, DNS:72ad0de0a556f763e0629c64c694df4c.com, DNS:86f7020358afaf71baeee5782b6264e4.xyz, DNS:88f2f20d26dcabeafd2f9d24e7ea4e50.com, DNS:911f4bf053ee3dadae1ca6bfdf40a817.com
would there be any reason any of these would be legitimate?
I've helped multiple people remove residential proxy malware that was turning their network into a brightdata exit node and they had no idea / did not consent to it. Why is google selectively targeting one provider while letting others operate freely?

You can check if your network is infected here: https://layer3intel.com/is-my-network-a-residential-proxy

This problem isn't going until we find a better solution to scraping than using your IP address as a passport.
Since I was also tracking this proxy network as part of my side project, I wrote a short blog post + give access to 16m+ proxy IPs IoCs that belong to this proxy network: https://deviceandbrowserinfo.com/learning_zone/articles/insi...

Note that even after the disruption, I'm still able to route millions of requests/day through IP IDEA's network