Researchers have attributed the Popa Android botnet to NetNut, a residential proxy service operated by publicly-traded Israeli firm Alarum Technologies. The botnet has infected millions of consumer TV boxes over four years, forcing them to relay traffic for advertising fraud, account takeovers, and large-scale data scraping.
Residential proxies mask user identity by routing traffic through legitimate consumer devices. NetNut markets this service to enterprises and marketing agencies. Security researchers from multiple firms connected Popa infrastructure directly to NetNut operations through shared command-and-control servers, IP allocations, and billing patterns.
The Popa botnet primarily targets Android-based set-top boxes and streaming devices. Once infected, these devices become part of a proxy network without user knowledge. Attackers leverage the botnet to conduct credential stuffing attacks, scrape competitor pricing data, execute ad fraud schemes, and circumvent geographic restrictions on content.
The scope reaches millions of devices. Each compromised TV box operates under the appearance of legitimate consumer traffic, making detection and blocking difficult for security teams. Advertisers pay for fake impressions routed through real residential IPs. E-commerce sites face inventory scraping and price manipulation. Users experience account breaches as attackers test stolen credentials through the proxy network.
Alarum Technologies faces potential regulatory scrutiny. The company operates as a publicly-traded entity under NASDAQ ticker ALAR. Residential proxy services occupy a gray legal zone. While legitimate uses exist for security testing and market research, knowingly operating botnets violates computer fraud laws in most jurisdictions. The direct connection between Popa and NetNut suggests deliberate infrastructure integration rather than accidental compromise.
Organizations using residential proxies face reputational and legal risk if traffic routes through botnet infrastructure. Companies should audit proxy providers for security practices and verify device consent mechanisms. Individuals who own compromised