Millions of consumer Android TV boxes have been repurposed as part of a massive residential proxy botnet known as Popa, which routes internet traffic for data scraping, advertising fraud, and account takeovers. Security researchers, including those at Qurium and Synthient, have linked the botnet’s infrastructure to NetNut, a proxy service owned by the publicly traded firm Alarum Technologies Ltd. [NASDAQ: ALAR].
How the Popa Botnet Functions
Popa operates as a persistent communication layer embedded within unofficial Android-based streaming devices. Unlike traditional botnets that focus on disruptive attacks like DDoS, Popa is designed to maintain long-lived, encrypted tunnels that allow third parties to route traffic through a user’s home network. According to Lumen Technologies’ Black Lotus Labs, the botnet maintains between 1.5 million and 2.5 million active IP addresses daily. These devices, often marketed as low-cost alternatives for streaming subscription content, frequently come pre-installed with the Popa plugin, which activates as soon as the hardware connects to a local network.
The Connection to NetNut and Alarum Technologies
Researchers at Qurium identified that domains used to control the Popa botnet—such as gmslb[.]net and ninjatech[.]io—are historically tied to the development of proxy infrastructure. Synthient analysis further suggests that outbound traffic from these devices is directed to NetNut clients.
Moishi Kramer, a vice president of R&D at NetNut, confirmed his past involvement with the Ninjatech domain but stated in an email that the company ceased operations years ago. He denied current control over the botnet, stating, "I have no control over, or visibility into, that infrastructure."
In a formal statement, Alarum Technologies rejected the characterization of their SDKs as a botnet. The company asserted that their technology is designed for "bandwidth-sharing" and that they implement "technological measures" to prevent misuse. However, the proxy-tracking service Spur challenged these claims in a June 2025 report, noting that many proxy providers—including those using NetNut’s pool—lack rigorous "Know Your Customer" (KYC) procedures, often allowing anonymous users to purchase access with cryptocurrency.
Risks to Corporate and Home Networks
The integration of residential proxy software into consumer electronics presents significant security risks, particularly when these devices are connected to corporate networks. Infoblox reported that 65% of its customer base observed queries related to residential proxy domains, including in highly regulated sectors like banking and healthcare.
When a corporate device or a home-office network acts as a residential proxy, it can unintentionally facilitate malicious activity. If a third party uses that IP address to launch an attack, the organization’s network may be identified as the source. This creates potential legal and reputational exposure for the unsuspecting owner.
The Role of AI in Data Scraping
The surge in residential proxy usage is largely driven by the demand for web-scraped data to train Artificial Intelligence models. According to Include Security, modern AI companies require residential IPs to bypass the protections employed by large platforms like Cloudflare or DataDome, which often block requests originating from known data centers.
The prevalence of this practice extends beyond unofficial TV boxes. Spur found that approximately 42% of apps in the LG smart TV store and over 25% of apps in the Samsung Tizen store include SDKs that can turn a television into an always-on proxy node. While these apps often include disclosures in their privacy policies, experts argue that such "consent" is insufficient, as many users—including children—may inadvertently authorize the connection while navigating simple menus with a remote control.
Key Takeaways
- Scope: The Popa botnet utilizes millions of Android-based TV boxes to create a global residential proxy network.
- Attribution: Researchers from Qurium and Synthient have linked the botnet’s traffic to NetNut, a subsidiary of Alarum Technologies.
- Corporate Threat: Infoblox warns that residential proxy SDKs are increasingly found on employee devices, potentially exposing corporate networks to liability for third-party traffic.
- Platform Response: While platforms like Roku and Amazon have moved to restrict proxy-enabling SDKs, smart TV manufacturers like LG and Samsung still host thousands of apps that contain these components.