Android TV Boxes Hijacked for Advertising Fraud and AI Scraping: The Rise of the Popa Botnet
Text
Researchers from multiple security firms have linked the sprawling Android-based botnet Popa to NetNut, a residential proxy provider operated by Alarum Technologies Ltd, a publicly traded Israeli firm listed on NASDAQ. The discovery, detailed in reports from Qurium and Synthient, reveals that Popa has been used to enroll millions of consumer TV boxes into a network capable of facilitating advertising fraud, account takeovers, and mass data scraping.
Popa, unlike traditional botnets that launch destructive attacks, functions as a persistent communication layer, maintaining encrypted connections and opening tunnels on demand. Experts say it is a plugin component of the Vo1d botnet, which targets unofficial Android-based TV boxes. These devices, sold under thousands of brand names, often bundle software that turns users’ home internet connections into residential proxies, allowing third parties to route traffic through them.
Qurium’s analysis found that domains linked to Popa, including gmslb.net and ninjatech.io, were used to control the botnet. The firm noted that while many of these domains were dismantled in July 2025, new ones emerged shortly after. Ninjatech.io, in particular, was tied to Moishi Kramer, a former vice president of research and development at NetNut. Kramer denied involvement, stating that the SDK he developed, Popa, was licensed to third parties and no longer controlled by him.
Synthient’s research, however, confirmed that devices running Popa forward traffic from NetNut clients, asserting that the botnet remains active within NetNut’s proxy pool. Alarum Technologies disputed these claims, calling them “demonstrably inaccurate” and emphasizing that its SDKs are designed for bandwidth sharing, not malware.
The scale of Popa’s operations is vast. Chris Formosa, a senior lead information security engineer at Black Lotus Labs, noted that the botnet averages 1.5 million to 2.5 million distinct IP addresses daily, with 250–300 control addresses. Jérôme Meyer of Nokia Deepfield estimated that 750,000 unique sources interacted with 26 relay nodes in 24 hours, suggesting the true user base may be significantly higher.
The botnet’s activities intersect with the AI industry, as proxy services like NetNut are increasingly marketed as infrastructure for training large language models. Include Security’s report highlighted that AI companies rely on residential proxies to bypass website defenses, with over 70 copyright lawsuits filed against tech firms for data scraping.
Experts warn that the proliferation of residential proxies extends beyond TV boxes. Spur’s research found that 42% of LG webOS apps and 25% of Samsung Tizen apps include SDKs that turn devices into proxies. This raises concerns about user consent, as many apps obscure the true purpose of their data usage.
Alarum and NetNut claim to enforce “know your customer” policies, but Spur’s report contradicted this, stating that individuals can access proxy services with minimal verification. Infoblox also found that 65% of its customers queried residential proxy domains, with over 60% of government and banking clients affected.
The implications for security are severe. Infoblox researchers warned that residential proxies could expose organizations to legal and reputational risks if threat actors use them to attack third parties.
As the debate over accountability continues, the connection between Popa and NetNut underscores the growing risks of unregulated proxy networks. For users, the lesson is clear: even everyday devices like smart TVs may be unknowingly contributing to large-scale cyber operations.
Text
The Role of Residential Proxies in AI Training
Residential proxies have become critical infrastructure for AI training, as companies seek to scrape vast amounts of web content. Include Security’s report noted that AI platforms rely on proxies to bypass security measures like Cloudflare, enabling continuous data collection. This has led to over 70 lawsuits against tech firms for copyright violations.
Text
Corporate and Government Exposure
Infoblox’s findings reveal the extent of residential proxy usage in corporate environments. Over 65% of its customer base queried proxy-related domains, with pharmaceutical, food & beverage, and government sectors particularly affected. Researchers warned that this exposure could lead to legal liability if proxies are used in cyberattacks.
Text
Regulatory and Industry Responses
While companies like Amazon and Roku have banned proxy-related apps, others, including LG and Samsung, have not. Spur’s research highlighted the need for stricter app store policies, citing the prevalence of proxy SDKs in smart TV ecosystems.
Text
The Broader Cybersecurity Implications
The Popa botnet’s integration with AI and data scraping underscores the evolving threat landscape. As residential proxies become more embedded in everyday technology, ensuring user consent and transparency remains a critical challenge for regulators and tech firms alike.
