‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

A four-year-old Android botnet called Popa has infected millions of consumer TV boxes to redirect internet traffic for advertising fraud, account takeovers, and data scraping. Security researchers from multiple firms this week attributed the botnet to NetNut, a residential proxy service operated by Alarum Technologies Ltd, a publicly-traded Israeli company listed on NASDAQ under the ticker ALAR.

Residential proxies mask user identity by routing traffic through real residential IP addresses rather than datacenter servers, making them attractive for both legitimate privacy use cases and illegal activity. NetNut's connection to Popa represents a significant convergence of botnet infrastructure and commercial proxy services. The botnet leverages compromised TV boxes to create a distributed proxy network without device owners' knowledge or consent.

The scale of Popa's operation underscores risks facing consumer IoT devices. TV boxes typically receive infrequent security updates and run older Android versions vulnerable to exploitation. Once compromised, these devices become persistent nodes in a proxy network, their bandwidth hijacked for fraudulent activity.

Advertising fraud represents the primary abuse vector. Attackers use Popa-controlled IPs to generate fake ad impressions, inflating traffic metrics and stealing advertising budgets from legitimate publishers. Account takeover attacks exploit residential IPs to evade geographic restrictions and login anomaly detection. Data scraping operations harvest competitor information, pricing data, and user credentials at scale.

Alarum Technologies' public listing adds complexity. The company faces potential regulatory scrutiny, shareholder liability concerns, and reputational damage. Israeli securities regulators and U.S. law enforcement may investigate whether company leadership knew about Popa's exploitation of NetNut infrastructure or profited from botnet-generated traffic.

Organizations relying on IP-based security controls should audit traffic from residential proxy ranges. ISPs can implement network-level detection for TV box compromise