Report Ads

Google Disrupts NetNut Proxy Network of 2 Million Smart TVs Exploited by Cybercriminals

google
Google's Journey Toward Innovation and Expansion. [TechGolly]

Key Points:

  • Google’s Threat Intelligence Group, in coordination with the FBI and Lumen, disrupted the massive NetNut residential proxy network.
  • The malicious network, also known as Popa, compromised at least 2 million connected home devices like smart TVs and streaming boxes.
  • NetNut secretly turned consumer gadgets into exit nodes for hackers by embedding stealthy software development kits inside free apps.
  • The crackdown follows the FBI seizing hundreds of NetNut-associated domains and Google’s Play Protect blocking infected applications.

A massive, highly coordinated international operation has successfully dismantled one of the world’s largest digital networks used to mask cybercrime. Google’s Threat Intelligence Group, in close coordination with the Federal Bureau of Investigation (FBI), telecom provider Lumen Technologies, and other global security partners, executed a major takedown targeting the NetNut residential proxy network. Also tracked under the name Popa, the sprawling botnet secretly hijacked at least two million connected consumer devices—such as smart TVs and streaming boxes—converting them into stealthy relays for malicious internet traffic. The successful intervention marks a major victory in the ongoing global campaign to disable the underground proxy pipelines that allow hackers to hide in plain sight.

The core of this compiled threat intelligence centers on the hidden economy of residential proxies. Unlike standard data-center servers, which cybersecurity tools can easily identify and block due to their corporate IP addresses, residential proxy services route internet traffic through the actual home IP addresses of ordinary consumer internet connections. Because the traffic appears to originate from an innocent household, security systems treat it as legitimate web browsing. This stealth capability makes residential proxies highly sought by bad actors, who buy access to these hijacked home connections to mask account takeovers, execute password-spray attacks, and conduct high-volume data scraping.

ADVERTISEMENT
3rd party Ad. Not an offer or recommendation by dailyalo.com.

The investigation revealed that NetNut grew its massive pool of infected devices through two primary distribution vectors. First, many off-brand, cheap smart TVs and streaming boxes shipped from manufacturing warehouses with the stealthy proxy code pre-installed on their hardware. Second, many ordinary consumers unknowingly enrolled their devices into the network by downloading free, Trojan-horse applications that secretly bundled NetNut’s software development kits (SDKs). In other cases, users knowingly installed bandwidth-sharing programs, lured by the promise of monetizing their unused internet, completely unaware that they were opening their home networks to hackers.

The physical presence of an active proxy exit node inside a living room poses immense cybersecurity risks to the unsuspecting household. When a smart TV or streaming box is conscripted as a proxy node, unauthorized, potentially illegal network traffic flows directly through the home router, meaning the resident’s IP address gets the blame for whatever cybercrimes the foreign renters commit. This unauthorized network traffic also bypasses the home router’s firewall, giving remote attackers a direct foothold to scan, access, and exploit other private devices on the same home network—such as personal computers, smartphones, and security cameras—effectively exposing the entire household to internet threats.

To completely disrupt this massive digital threat, the joint task force executed a highly synchronized technical and legal offensive. In a major blow to the network’s business operations, the FBI and the Internal Revenue Service Criminal Investigation Division seized hundreds of domain names associated with NetNut’s platform, immediately replacing its public homepage with an official government seizure banner. Concurrently, Google’s cybersecurity teams disabled all Google accounts, cloud services, and backend infrastructure that the operators utilized for malware command-and-control operations. This dual-pronged attack successfully stripped the botnet of its primary operating systems and severed communication with millions of infected devices.

On the consumer side, the technology giant is deploying its built-in security features to actively purge the infected applications from the Android ecosystem. Google ensured that its Google Play Protect service, which continuously scans and monitors certified Android devices, automatically warns users and disables any mobile applications known to incorporate the network’s malicious SDKs. This built-in protection system will continue to block any future installation attempts of the compromised software. Additionally, security teams shared detailed technical intelligence on the backend infrastructure and SDK code with other major operating system developers, platform providers, and research firms to drive ecosystem-wide enforcement.

What makes this particular takedown highly unusual compared to typical, shadow-operating botnets is that the platform traces back directly to a publicly traded corporate entity. NetNut operates as a subsidiary of Alarum Technologies, a cybersecurity and digital-asset firm based in Israel and listed on the NASDAQ exchange. While Alarum has previously disputed the characterization of its proxy network as an illegal botnet, arguing that its residential proxy services have legitimate commercial uses like market research and ad verification, independent security researchers at multiple international firms successfully linked the parent company’s infrastructure directly to the malicious Popa botnet, prompting the sweeping federal seizure.

The successful operation against the Israeli-backed platform is not a one-off event, but rather a continuation of a sustained global crackdown on malicious residential proxies. This technical intervention builds directly upon a similar, highly successful disruption executed by the same threat intelligence group in January, when they successfully dismantled the massive IPIDEA residential proxy network. By continuously targeting these massive intermediate networks, cybersecurity teams are successfully pulling the rug out from under the global cybercrime marketplace, making it increasingly difficult and expensive for hacking syndicates to purchase the anonymity they require to attack global targets.

Ultimately, the coordinated strike against the two-million-device botnet proves that protecting the modern digital economy requires continuous, collaborative vigilance. As the Internet of Things continues to expand, bringing billions of smart appliances, television boxes, and connected gadgets into consumer homes, securing these edge devices is becoming a matter of ultimate national and personal security. Consumers must remain exceptionally wary of free bandwidth-monetization programs and stick strictly to official app stores to protect their homes. Until international laws can successfully hold companies accountable for distributing proxy-enrolling SDKs, the combination of robust technical monitoring, public awareness, and swift federal enforcement will remain our most effective line of defense.

Newsroom
Newsroom
Al Mahmud Al Mamun leads the TechGolly Newsroom team. He served as Editor-in-Chief of a world-leading professional research Magazine. Rasel Hossain is supporting as Managing Editor. Our team is intercorporate with technologists, researchers, and technology writers. We have substantial expertise in Information Technology (IT), Artificial Intelligence (AI), and Embedded Technology.
ADVERTISEMENT
3rd party Ad. Not an offer or recommendation by techgolly.com.