I woke up last Saturday to a dead battery.

Not on my main driver—a Galaxy S25 that handles power management like a champ—but on an older Pixel 7 I keep in a drawer for testing sketchy APKs. It had been sitting idle for two days. Screen off. No SIM card. Just Wi-Fi and a handful of “free” utility apps I was investigating.

It should have dropped maybe 10% charge. Instead, it was a brick.

After charging it back up and checking the battery stats, the culprit wasn’t immediately obvious. “System” usage was high. But when I routed the traffic through my local gateway and fired up Wireshark (running version 4.4.3 on my laptop), the logs lit up like a Christmas tree. That idle phone wasn’t idle. It was routing traffic for someone else.

This isn’t a glitch. It’s a business model.

The “Free” SDK Trap

Here’s the thing nobody tells you about those free PDF converters or flashlight apps: developers have to eat. And if they aren’t charging you $2.99, and they aren’t plastering the screen with ads every three seconds, they’re monetizing your internet connection. Specifically, your internet connection.

There are legitimate-sounding companies that offer SDKs (Software Development Kits) to app developers. The pitch is simple: “Add two lines of code to your app, and we’ll pay you $500 a month per 10,000 active users.”

The developer thinks, “Sweet, passive income.” But what they don’t realize is that they’re turning your phone into a residential proxy node.

The Cat and Mouse Game

We just saw a massive cleanup of these networks recently. Google dropped the hammer on a huge cluster of compromised apps, effectively severing the connection for millions of unwitting proxies. It was a necessary purge. And I watched the traffic on my test device flatline right around the time the news broke in the security forums.

But let’s be real. This is whack-a-mole.

I was digging into an APK yesterday—a generic “File Manager” with 500k+ downloads. The obfuscation was impressive. It wasn’t running a constant background service that Android’s battery optimizer would kill. Instead, it was piggybacking on “high priority” push notifications to wake the device up for short bursts, route a few requests, and go back to sleep.

How to Actually Check Your Device

Forget antivirus apps. Most of them are just resource hogs that look for known signatures. These proxy SDKs are often technically “legal” because buried in page 47 of the Terms of Service (which you didn’t read), you agreed to share your idle resources.

If you want to know if you’re part of a botnet, you have to get your hands dirty.

1. The Battery Audit
Go to Settings > Battery > Battery Usage. Don’t just look at the top list. Tap on “System usage” or look for apps that have high “Background” time compared to “Screen time.” If a calculator app has run for 4 hours in the background, delete it immediately.

2. Data Traffic Monitoring
I use PCAPdroid (I’m on version 1.7.3 right now). It’s an open-source app that acts as a local VPN to capture traffic without root. You don’t need to understand every packet. Just look for the “Connections” tab.

The Android 16 Factor

I’ve been messing around with the early builds of Android 16 on my Pixel 9 Pro, and Google is definitely tightening the screws. The new “JobScheduler” constraints are brutal for background processes. They’re making it much harder for apps to execute code when the screen is off unless they have a very good reason.

But developers are clever. I’m already seeing chatter on GitHub about using “foreground services” (those persistent notifications that say “App is running”) to bypass these restrictions. Users get annoyed and hide the notification, but the service keeps running.

It’s an endless cycle. The OS gets more secure; the exploits get more creative.

My Take? Stop Sideloading (Mostly)

Look, I love the freedom of Android. I sideload apps all the time—F-Droid is my best friend. But downloading “Spotify Premium Mod APK” from a random site? In 2026? You’re basically asking to be exploited.

The “modded” app scene is the primary vector for these hidden proxies now. You get the premium features for free, and in exchange, the modder injects a proxy SDK to monetize your device. Nothing is free. You’re either paying with money, or you’re paying with your bandwidth and battery life.

If your phone feels hot when it’s doing nothing, or if your data cap is vanishing, don’t wait for a security patch. Wipe the phone. It’s the only way to be sure.