The Rise of the Popa Botnet: A Deep Dive
Introduction to Popa
For the past four years, the Popa botnet has been quietly wreaking havoc across the digital landscape by commandeering millions of consumer TV boxes, primarily those running on the Android operating system. This sprawling botnet isn’t content with conventional botnet mayhem—like launching Distributed Denial of Service (DDoS) attacks. Instead, it specializes in insidious activities such as advertisement fraud, account takeovers, and extensive data scraping. Recent investigations reveal a partnership between Popa and NetNut, a residential proxy service operated by Alarum Technologies Ltd, a publicly traded company based in Israel.
Understanding the Botnet
Popa stands out in the realm of botnets. Unlike traditional botnets that aim to create chaos or steal sensitive information directly, Popa has a more nuanced approach. Its primary function is to establish a persistent communications layer that registers devices and maintains long-lasting encrypted connections. This allows the botnet to open communication tunnels on demand, effectively turning consumer electronics into tools for criminal enterprise.
The Connection to Vo1d
Researchers have associated Popa with the Vo1d botnet, which targets Android-based TV boxes marketed under a multitude of brand names. These devices typically offer users the chance to stream countless subscription video services for a one-time fee, luring them in with the promise of endless entertainment. However, the FBI and cybersecurity experts have alerted consumers about the bundled software that often comes pre-installed, converting these seemingly innocuous streaming devices into residential proxies. In essence, this allows third parties to route their Internet traffic through these devices without the owners’ awareness.
Tracing Origins
Initial clues regarding Popa surfaced in a 2025 report from the Chinese cybersecurity firm XLAB. Researchers flagged various domain names that facilitated the registration and control of these compromised devices. A newer investigation from Qurium revealed that these domains led to significant data scraping events involving more than 1.4 million Internet addresses. Domains like gmslb[.]net and ninjatech[.]io have become hotbeds for further investigation.
The Role of Ninjatech
Interestingly, the domain ninjatech.io is linked to Moishi Kramer, who was instrumental in building the infrastructure of NetNut. In a statement, Kramer claims that his company, Ninjatech, ceased operations about five years ago after licensing the Popa SDK to third parties. He argues that once distributed, the original developers lose control over how the software is modified or used by others.
NetNut’s Response
Alarum Technologies, NetNut’s parent company, has firmly denied claims that its services facilitate malicious activities. The company insists that their SDKs are designed for bandwidth-sharing and do not compromise user devices. They claim to maintain strict procedures to ensure responsible use of their services, asserting that significant emphasis is placed on customer due diligence and monitoring.
Investigations Unveil Contradictions
However, reports from analysts like Spur have raised red flags about NetNut’s actual practices, suggesting they do not enforce meaningful know-your-customer (KYC) checks. According to Spur, users can easily access their services with little to no verification, leading to questionable usage of residential IP addresses. This issue highlights a significant fuzziness in the lines between legitimate proxy use and malicious activities.
The Scope of Popa’s Influence
Notably, Popa operates with tremendous scale, boasting between 1.5 million to 2.5 million unique IP addresses each day. The breadth of its operation means that the botnet has made inroads into various industries, amplifying its potential for misuse. Chris Formosa from Black Lotus Labs highlights how other proxy services often rely on NetNut’s infrastructure, making Popa a potent force within the ecosystem of online mischief.
Data Scraping and AI
The relationship between proxy services and data scraping is another key aspect to explore. Many companies now tout their residential proxies as essential for training AI models, tapping into the growing demand for web-scraped content. This increasing dependence on scraping brings its own challenges, leading to complaints from various sectors, including nonprofit groups and academic institutions, who find their services disrupted by aggressive scraping tactics.
Consumer Awareness and Usage Risks
Consumer awareness of the chain of events triggered by using these unofficial TV boxes remains alarmingly low. Many households unknowingly contribute valuable bandwidth to train modern AI models each month just by having these devices plugged in. The risk is even higher for smart TVs, as they can also fall victim to similar schemes through seemingly benign apps downloaded from app stores.
The Future of Proxy Networks
As services continue to evolve, they often overlook the ethical implications of requiring users to consent. The gap between theoretical consent and practical understanding continues to broaden, especially in instances where children or uninformed users are the ones making app downloads. Industry experts suggest that manufacturers like LG and Samsung should follow Amazon’s lead by prohibiting any app that facilitates residential proxy services.
Broadening Scope of Threats
The insights from organizations like Infoblox indicate that the problem extends beyond personal computing devices, infiltrating corporate environments as well. As more employees use residential proxy-related services, businesses face the risk of being implicated in malicious activities, raising concerns about reputational damage and potential legal consequences.
The complexities surrounding the Popa botnet, its connection to proxy services, and the broader implications of residential proxies are reshaping the digital landscape in unexpected ways. Understanding these threads is crucial for both individuals and organizations aiming to navigate this increasingly labyrinthine online environment.