NetNut Residential Proxy Service Masking Four-Year Android Botnet Operation at Scale
Popa, a multi-year Android botnet compromising millions of consumer TV boxes, has been attributed to NetNut, a residential proxy service operated by publicly-traded Israeli firm Alarum Technologies. The botnet facilitates advertising fraud, account takeovers, and mass data scraping under commercial cover.
Affected
Security researchers have established a direct link between the Popa botnet and NetNut, a residential proxy provider operated by publicly-traded Alarum Technologies. This attribution represents a significant operational security failure or deliberate misuse of infrastructure: Popa has compromised millions of Android-based consumer TV boxes over four years whilst maintaining operational continuity under commercial proxy branding. The botnet's traffic has been actively monetised for advertising fraud, credential compromise, and large-scale data harvesting.
The technical architecture combines consumer device infection with proxy service infrastructure, creating a two-tier abuse model. Infected TV boxes become unwitting relay nodes for fraudulent traffic originating from residential IP addresses, which are substantially harder to filter than datacenter proxies. This makes Popa particularly effective for circumventing fraud detection systems that rely on IP geolocation and datacenter reputation signals. The four-year duration suggests detection avoidance strategies that may include traffic obfuscation, periodic sinkhole evasion, or compartmentalised command infrastructure.
The commercial proxy service layer is the novel finding here. NetNut's legitimate business model provides plausible deniability for traffic patterns that would otherwise trigger security alarms. Customers purchasing proxy access through official channels receive IP addresses that actually route through compromised consumer devices, effectively purchasing access to a botnet without explicit knowledge. This conflates the business model of a proxy provider with the operational structure of a distributed attack platform.
Defenders and law enforcement face a compounded attribution problem: distinguishing between proxy service customers behaving legitimately and those knowingly purchasing botnet-backed access. Organisations receiving traffic from residential IP blocks should now consider enrichment against NetNut's documented infrastructure. The public company status of Alarum Technologies suggests regulatory and shareholder liability exposure, though enforcement jurisdiction across countries operating the infected devices remains fragmented.
The broader implication is that residential proxy services have become a strategically important target for botnet operators. Unlike traditional botnets that require direct monetisation, proxy service infrastructure provides legitimate commercial cover whilst enabling fraud at scale. Future security investment should focus on passive DNS and BGP analysis to map proxy provider infrastructure against known botnet command channels, and on developing detection signatures for infected TV boxes exhibiting proxy service fingerprints.
Sources