A sprawling Android botnet known as Popa has been operating covertly for four years, hijacking millions of consumer TV boxes to facilitate large-scale cybercriminal activities including advertising fraud, account takeovers, and mass data scraping. Researchers from multiple security firms have now connected this botnet infrastructure to NetNut, a residential proxy provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd.
Unlike traditional botnets designed for destructive purposes, Popa appears specifically engineered to establish persistent communications channels in compromised devices. These Android TV boxes, sold under numerous brands through major e-commerce platforms, are marketed as all-in-one streaming solutions that promise access to premium subscription services for a one-time fee. However, unbeknownst to consumers, these devices come pre-loaded with software that converts them into residential proxy nodes, allowing third parties to route internet traffic through the user's home network.
Security researchers at Qurium discovered the connection while investigating disruptive data scraping attacks that were distributed across more than 1.4 million IP addresses. Their investigation revealed domains used to control the botnet were embedded in popular pirated streaming applications such as CRICFy, DooFlix, and RTS Tv. Following previous law enforcement actions against related botnets, researchers observed new controller domains emerging, including one