Uncovering the Popa Botnet: How Hijacked Android TV Boxes Fuel Cybercrime
Jun 18, 2026
644 views
For over four years, a formidable Android-based botnet named **Popa** has been hijacking consumer television boxes to funnel internet traffic into various nefarious schemes, including advertising fraud, account takeovers, and extensive data scraping operations. This week, multiple cybersecurity research teams linked Popa to **NetNut**, a residential proxy service provided by the Israeli company **Alarum Technologies Ltd** [NASDAQ: ALAR].
Popa’s uncanny nature sets it apart from standard botnets, which typically thrive on chaos—like launching distributed denial-of-service attacks. Instead, Popa's architecture focuses on establishing a reliable and enduring communications layer. It facilitates the registration of devices and sustains long-term encrypted connections, which aids in creating dynamic communication tunnels as needed.
Experts suggest Popa is a component of the larger **Vo1d** botnet, which predominantly targets unofficial Android TV boxes. These devices are sold under myriad names at leading online marketplaces, often marketed with the appealing promise of streaming numerous paid video services for a one-time fee. However, these boxes frequently come with pre-installed software that turns them into residential proxies. This means anyone can secretly route their internet traffic through these devices, exploiting the user's home network without their explicit consent.
The investigation into Popa’s origins was initially sparked by a **2025 report** from **XLAB**, a Chinese cybersecurity firm that identified several domains associated with compromised devices. Further insights emerged from a report by **Qurium**, which detailed a series of costly data scraping incidents targeting organizations under their watch, revealing that certain control domains were utilized extensively in coordinating severe scraping attacks, scattering their malicious activity across over 1.4 million IP addresses.
Qurium discovered dozens of domains used to command the Popa botnet, noteworthy among them being **gmslb[.]net**, **safernetwork[.]io**, **tera-home[.]com**, and **ninjatech[.]io**. These domains were prevalent in pirated and modified streaming applications, including popular names like **CRICFy**, **DooFlix**, and **CyberFlix**. Following an earlier crackdown in July 2025 on associated domains, several new control domains were swiftly registered, among them, **ninjatech[.]io**—an intriguing development given its tie to **Moishi Kramer**, a former VP at NetNut.
Kramer has since distanced himself, stating that while he once developed a software development kit (SDK) called Popa for legitimate bandwidth-sharing, he relinquished control after many years of licensing to third parties. "Once code is distributed, the original developer can't control how it gets modified or used," he emphasized in a recent email exchange. He further asserted that neither he nor NetNut operates the infrastructure being labeled as Popa.
In an interesting counterpoint, recent findings from **Synthient**, a proxy-tracking firm, suggested that the Popa SDK exhibits outbound traffic specifically linked to NetNut, claiming with high confidence that the devices running Popa are indeed relaying traffic for NetNut clients. Alarum Technologies, however, responded with a staunch denial, arguing that the reports contained errors and mischaracterized their SDKs as malware. They claimed that their systems are designed for lawful bandwidth-sharing and emphasize sound oversight practices.
But skepticism remains. A report from **Spur** paints a troubling picture of NetNut's apparent lack of adequate customer verification. The claim that only "verified corporations" can utilize their service seemingly masks a more complicated reality, where malicious actors could easily acquire proxy access without due diligence. Furthermore, Synthient found that while recent Popa builds offer a user consent feature, many prior versions do not, casting doubt on operational integrity.
Popa’s widespread use makes it a formidable threat. Its prevalence is alarming; it reportedly averages between 1.5 to 2.5 million distinct IP addresses daily. Unlike larger botnets that tend to be centralized, Popa's decentralized nature—spanning numerous proxy services—exacerbates its potential impact, rendering it exceptionally dangerous.
Given all this, it’s critical for everyone involved in the tech ecosystem to remain vigilant. What may seem like a few innocuous streaming boxes in your home could very well be conduits for a significant and growing, malicious botnet.