Uncovering the Popa Botnet: How Hijacked Android TV Boxes Fuel Cybercrime

Jun 18, 2026 644 views
For over four years, a formidable Android-based botnet named **Popa** has been hijacking consumer television boxes to funnel internet traffic into various nefarious schemes, including advertising fraud, account takeovers, and extensive data scraping operations. This week, multiple cybersecurity research teams linked Popa to **NetNut**, a residential proxy service provided by the Israeli company **Alarum Technologies Ltd** [NASDAQ: ALAR]. Popa’s uncanny nature sets it apart from standard botnets, which typically thrive on chaos—like launching distributed denial-of-service attacks. Instead, Popa's architecture focuses on establishing a reliable and enduring communications layer. It facilitates the registration of devices and sustains long-term encrypted connections, which aids in creating dynamic communication tunnels as needed. Experts suggest Popa is a component of the larger **Vo1d** botnet, which predominantly targets unofficial Android TV boxes. These devices are sold under myriad names at leading online marketplaces, often marketed with the appealing promise of streaming numerous paid video services for a one-time fee. However, these boxes frequently come with pre-installed software that turns them into residential proxies. This means anyone can secretly route their internet traffic through these devices, exploiting the user's home network without their explicit consent. The investigation into Popa’s origins was initially sparked by a **2025 report** from **XLAB**, a Chinese cybersecurity firm that identified several domains associated with compromised devices. Further insights emerged from a report by **Qurium**, which detailed a series of costly data scraping incidents targeting organizations under their watch, revealing that certain control domains were utilized extensively in coordinating severe scraping attacks, scattering their malicious activity across over 1.4 million IP addresses. Qurium discovered dozens of domains used to command the Popa botnet, noteworthy among them being **gmslb[.]net**, **safernetwork[.]io**, **tera-home[.]com**, and **ninjatech[.]io**. These domains were prevalent in pirated and modified streaming applications, including popular names like **CRICFy**, **DooFlix**, and **CyberFlix**. Following an earlier crackdown in July 2025 on associated domains, several new control domains were swiftly registered, among them, **ninjatech[.]io**—an intriguing development given its tie to **Moishi Kramer**, a former VP at NetNut. Kramer has since distanced himself, stating that while he once developed a software development kit (SDK) called Popa for legitimate bandwidth-sharing, he relinquished control after many years of licensing to third parties. "Once code is distributed, the original developer can't control how it gets modified or used," he emphasized in a recent email exchange. He further asserted that neither he nor NetNut operates the infrastructure being labeled as Popa. In an interesting counterpoint, recent findings from **Synthient**, a proxy-tracking firm, suggested that the Popa SDK exhibits outbound traffic specifically linked to NetNut, claiming with high confidence that the devices running Popa are indeed relaying traffic for NetNut clients. Alarum Technologies, however, responded with a staunch denial, arguing that the reports contained errors and mischaracterized their SDKs as malware. They claimed that their systems are designed for lawful bandwidth-sharing and emphasize sound oversight practices. But skepticism remains. A report from **Spur** paints a troubling picture of NetNut's apparent lack of adequate customer verification. The claim that only "verified corporations" can utilize their service seemingly masks a more complicated reality, where malicious actors could easily acquire proxy access without due diligence. Furthermore, Synthient found that while recent Popa builds offer a user consent feature, many prior versions do not, casting doubt on operational integrity. Popa’s widespread use makes it a formidable threat. Its prevalence is alarming; it reportedly averages between 1.5 to 2.5 million distinct IP addresses daily. Unlike larger botnets that tend to be centralized, Popa's decentralized nature—spanning numerous proxy services—exacerbates its potential impact, rendering it exceptionally dangerous. Given all this, it’s critical for everyone involved in the tech ecosystem to remain vigilant. What may seem like a few innocuous streaming boxes in your home could very well be conduits for a significant and growing, malicious botnet.

Rethinking Consent in the Age of Proxy SDKs

The implications of proxy SDKs embedded in TV apps raise serious concerns about user consent and security. It’s clear that the current models for obtaining consent leave much to be desired. The prospect of a child unwittingly enrolling the family TV into a residential proxy network simply through game downloads is alarming. Experts underscore that the complexity of privacy disclosures on TV interfaces makes it nearly impossible for users to fully understand what they’re consenting to—especially when navigating legal jargon with a remote. Sean Simmons from Spur aptly characterizes this disconnect. Most individuals don’t grasp what it entails to sell access to their residential IP address. This ignorance is magnified with TVs. A fleeting prompt during setup is hardly sufficient to inform users about the enduring implications of their agreement, especially when it allows ongoing monetization of that connection.

Call for Clearer Policies

Consequently, it's no surprise Simmons advocates for manufacturers like LG and Samsung to follow Amazon and Roku's examples, both of which have restricted applications that facilitate proxy services. What stands out here is the responsibility these tech giants have in safeguarding users from unknowing exposure to these networks. As Simmons points out, a simple consent dialog—especially on a device that’s often used passively—doesn’t cut it when the app is continuously profiting from the user's internet connection. Moreover, the problem extends beyond smart TVs. Mobile apps often integrate these SDKs, allowing for broad infiltration into user devices. Just last month, Infoblox revealed sobering statistics: a staggering 65% of its customers made queries to residential proxy domains. This included a hefty representation from highly regulated sectors like pharmaceuticals and finance, highlighting an urgent need for more stringent oversight.

Risks in Corporate Environments

The situation worsens in corporate settings, where these unauthorized connections could pose significant threats. Nick Sundvall and David Brunsdon of Infoblox emphasize that proxies could inadvertently expose a business’s IP address to outsiders. If misused, they could link a company's network to illicit activities, resulting in legal headaches and reputational damage. In considering the widespread adoption of residential proxies, decision-makers in tech and policy need to take action. Addressing how these services infiltrate personal and corporate networks isn’t just about privacy; it's about redefining the way users interact with technology. Users need clear, actionable information—something that current practices are sorely lacking. The stakes couldn't be higher, and it's time for industry leaders to step up and forge a safer digital landscape.
Source: BrianKrebs · krebsonsecurity.com

Comments

Sign in to comment.
No comments yet. Be the first to comment.

Related Articles

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm