Security researchers have uncovered a large-scale Android botnet dubbed ‘Kimwolf’ that has compromised more than 2 million devices by tunneling through residential proxy networks, according to findings from threat intelligence firm Synthient.
According to the researchers, operators behind Kimwolf are monetizing the botnet through fraudulent app installs, selling residential proxy bandwidth, and offering distributed denial-of-service (DDoS) capabilities.
The botnet was first publicly documented last month by QiAnXin XLab, which linked it to another botnet known as AISURU. Active since at least August 2025, Kimwolf is believed to be an Android variant of AISURU and may be behind a series of record-setting DDoS attacks late last year.
Kimwolf malware turns infected devices into relays for malicious traffic and large-scale DDoS operations. Most of the infections were observed in Vietnam, Brazil, India, and Saudi Arabia, with researchers seeing around 12 million unique IP addresses each week. The attacks primarily target Android devices running exposed Android Debug Bridge (ADB) services, often using residential proxy infrastructure to silently install the malware. Synthient found that at least 67% of compromised devices had unauthenticated ADB enabled by default.
Researchers suspect many devices were preloaded with software development kits from proxy providers, allowing them to be quietly recruited into the botnet. The most affected systems include unofficial Android-based smart TVs and set-top boxes. As recently as December 2025, Kimwolf infections were seen leveraging proxy IPs rented from China-based IPIDEA, which deployed a security patch on December 27 to block access to local network devices and sensitive ports.
Once installed, the main payload listens on port 40860 and connects to a command-and-control (C&C) server to receive instructions. In many cases, the malware also installs the Plainproxies Byteconnect SDK, a bandwidth monetization service that routes proxy tasks through infected devices.
Synthient said the infrastructure has been used for activities including credential-stuffing attacks against IMAP servers and popular websites.
To reduce risk, proxy providers are advised to block requests to private IP address ranges and organizations are recommended to secure Android devices by disabling unauthenticated ADB access.