Kimwolf Android Botnet Grows Through Residential Proxy Networks

The Kimwolf botnet has grown to over 2 million Android devices, largely exploiting residential proxy networks, according to cybersecurity firm Synthient. Active since at least August 2025, the botnet primarily targets unofficial Android TV set-top boxes and allows its operators to monetize infections through DDoS attacks, app installations, and selling proxy bandwidth.

Botnet Overview

• Size: Estimated 2 million devices, with ~12 million unique IPs observed weekly.
• Geography: Many infected devices are located in Vietnam, Brazil, India, and Saudi Arabia.
• Method of infection: Exploitation of exposed Android Debug Bridge (ADB) services and pre-infected low-cost Android TV boxes.
• Propagation technique: Novel targeting of residential proxy networks, with many devices linked to China-based IPIDEA proxy IPs.

Monetization

Kimwolf operators leverage the botnet for:

1. Distributed Denial-of-Service (DDoS) attacks – up to 30 Tbps, sometimes misattributed to other botnets like Aisuru.
2. App installs – pushing apps to infected devices.
3. Residential proxy sales – selling bandwidth via compromised devices at rates as low as $0.20 per GB.

Many devices came pre-infected with modified binaries, which replaced legitimate software from IPIDEA, turning devices into bot nodes. Synthient noted that IPIDEA deployed patches in late December to close exposed ports after receiving multiple vulnerability alerts.

Implications

• The botnet highlights the risk of insecure Android TV boxes and residential proxy networks as attack vectors.
• Threat actors appear increasingly sophisticated, integrating malware deployment with commercial proxy ecosystems.
• Despite IPIDEA’s patch, the broader botnet threat persists across other providers and regions.

Recommendations

• Users should avoid unofficial or pre-owned Android TV boxes from unverified sources.
• Network administrators and proxy providers should secure exposed ADB services and ports.
• Continuous monitoring for abnormal network traffic can help identify botnet activity.