Is Your Smart TV Part of a Botnet? The Popa Problem and Corporate Accountability
Millions of Android-based TV boxes and smart TVs are currently relaying internet traffic for advertising fraud, account takeovers, and mass data-scraping. This co-option of consumer devices raises significant questions when a publicly-traded company is implicated.
The deceptive integration of malicious infrastructure with what appear to be legitimate business operations raises questions about the due diligence expected from proxy service providers. The central issue remains how a company's services can facilitate a botnet, and the implications for users and the broader internet.
Popa's Network: Tracing the Link to NetNut
The Popa botnet has long operated by converting Android devices into residential proxy nodes. While security researchers have tracked its activity for years, new high-confidence reports directly link Popa to NetNut, a residential proxy provider.
Several security research firms have published reports solidifying this connection. Synthient's research indicates with high confidence that Popa-infected devices forward traffic from NetNut clients, proving Popa's active use within NetNut's proxy pool. Reports from firms like Qurium detail Popa control domains such as gmslb[.]net and ninjatech[.]io, and attribute certain VPN apps, such as RoboVPN, to entities linked to NetNut. Nokia Deepfield's separate analysis of RoboVPN further supports this evidence.
Lumen Technologies (Black Lotus Labs) has tracked Popa, observing between 1.5 million to 2.5 million distinct IP addresses daily, supported by 250-300 Internet addresses for command and control. Similarly, Nokia Deepfield observed 750,000 unique sources in 24 hours on a subset of 26 relay nodes.
Device Enlistment: The Proxy Mechanism
Popa operates as an Android-based botnet, functioning as a residential proxy network. Its design incorporates a persistent communications layer, enabling device registration, maintenance of long-lived encrypted connections, and on-demand communication tunnel establishment. It often manifests as a plugin component, frequently associated with the Vo1d and Badbox 2.0 botnets.
Infection vectors are often deceptive. Many unofficial Android-based TV boxes arrive with this proxy software pre-installed. Smart TV applications also contribute; over 42% of apps on LG webOS and over 25% of apps on Samsung Tizen operating systems incorporate residential proxy SDKs. Mobile app developers embed these SDKs into free applications—such as VPNs, streaming apps, screensavers, or PDF viewers—as a monetization strategy. However, they frequently enroll devices into these proxy networks without the owner's knowledge or explicit, informed consent.
Once installed, your device becomes a node in this network, relaying internet traffic for NetNut clients and effectively lending your home IP address to someone else for various operations.
Consequences: Beyond Resource Consumption
For consumers, the direct impact involves unauthorized use of device resources: bandwidth consumption, battery drain, and potential performance degradation. More critically, there is legal and reputational exposure. If a threat actor uses your IP address for illicit activities, that traffic is traceable directly to your residence.
Corporate networks also face substantial risk. Infoblox reports that 65% of their customer base queried one or more residential proxy-related domains. They observed a 25% increase in such queries in 2025, reaching over 500 billion per month. This trend was particularly pronounced among pharmaceutical and food & beverage customers, where over 90% queried residential proxy indicators, and among government and banking customers, where over 60% queried residential proxy indicators. This data underscores the prevalence of these services and the associated risk of external access to an organization's IP space, which can lead to legal and reputational damage if abused.
Alarum Technologies, NetNut's parent company, disputes the 'botnet' characterization, asserting their SDKs facilitate bandwidth-sharing with user consent and that they uphold policies, procedures, and technological measures to ensure lawful use, including KYC checks and misuse monitoring. However, this claim is directly contradicted by security researchers.
However, evidence from security researchers presents a different picture. Synthient's analysis indicates that while some recent Popa builds (as of 3 months prior to June 2026) incorporated user consent functionality, this is not present in all variants or previous versions. More critically, observations suggest that none of over 20 genuine Popa publishers analyzed were observed asking for user consent. Furthermore, a June 8, 2026 report from proxy tracking service Spur asserts that NetNut's KYC procedures are insufficient, characterizing "verified corporations only" as marketing, with resellers offering access with less scrutiny.
This situation highlights a significant discrepancy between corporate claims and independent research findings. For instance, while Moishi Kramer, Ninjatech's founder, claims Ninjatech ceased operations approximately five years ago and sold the Popa SDK, denying control over its current deployment or the ninjatech[.]io domain, Qurium's report identifies ninjatech[.]io as an active Popa control domain. The consistency of evidence across multiple reputable firms challenges the concept of 'plausible deniability' regarding the nature and control of the Popa infrastructure.
Path Forward: Addressing the Challenge
The security community has actively worked to disrupt Popa. For instance, Google, HUMAN Security, and Trend Micro have collaborated to seize or dismantle most domains controlling the Popa botnet during disruptions of Badbox 2.0 in July 2025. Subsequently, new domains have emerged, with ninjatech[.]io identified as a pre-existing control domain. Google and industry partners have also initiated legal action in January 2026 to seize domain names used by other proxy providers, such as IPIDEA. These are necessary steps, but the challenge remains a continuous challenge of adaptation.
For organizations, the immediate priority is to monitor networks for connections to known residential proxy domains. Infoblox's data suggests this is not an isolated incident; rather, it is a widespread issue that necessitates active defense. Implementing effective egress filtering and DNS monitoring can identify and block traffic to these indicators.
The findings from Synthient and Spur underscore the critical need for genuine, verifiable user consent mechanisms across all SDK versions, and rigorous 'Know Your Customer' (KYC) procedures that extend beyond marketing claims. Transparency in how services operate and how devices are enrolled is also highlighted as essential to address the discrepancies identified by researchers. These measures are not merely best practices but are increasingly seen as imperative to avoid the reputational and legal fallout associated with enabling widespread abuse.
The Popa botnet situation highlights the often-blurred distinction between legitimate 'bandwidth sharing' and malicious 'botnet infrastructure.' Companies operating in this space face increasing scrutiny to ensure their services do not enable widespread abuse, as continued discrepancies between claims and evidence will likely lead to further reputational and legal challenges.
