SoylentNews is people
SoylentNews
Submission Preview
‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm
'Popa' Botnet Linked to Publicly-Traded Israeli Firm [krebsonsecurity.com]:
For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut, a "residential proxy" provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR].
Popa is a massive botnet, but by all accounts it is unlike traditional botnets that enlist compromised systems in destructive activities, such as coordinating huge distributed denial-of-service attacks. Rather, Popa appears designed with a singular purpose: Implementing a persistent communications layer capable of registering a device, maintaining long-lived encrypted connections, and opening communication tunnels on demand.
Experts say Popa is a plugin component associated with the Vo1d botnet, a large-scale malware campaign targeting unofficial Android-based TV boxes. These devices, which are marketed under thousands of brand names and model numbers and broadly available for purchase at top e-commerce destinations, all advertise the ability to stream hundreds of subscription video services for an up front one-time fee.
But as the FBI and security industry experts have warned repeatedly, these streaming boxes typically bundle or come pre-installed with software [krebsonsecurity.com] that turns the user's TV into a "residential proxy [synthient.com]" — allowing anyone to route their Internet traffic through that device for as long as it remains plugged into a wall socket and connected to a local network. More concerning, some of these proxy networks do little to stop malicious customers from communicating with and even compromising systems on the local network of the unsuspecting device owner.
[...] Ninjatech is a company founded by Moishi Kramer, whose LinkedIn profile [linkedin.com] says he is vice president of research and development at NetNut. That resume credits Kramer for helping NetNut to build from the "ground up," "designing the architecture," and "scaling the NetNut" before the company was acquired by Alarum Technologies. A self-created listing at the job board F6S references Kramer [f6s.com] as the sole owner of the Ninjatech domain (a screen capture of it is pictured below).
[...] "I didn't register the June 2025 domains you mention, and I don't know who did," he continued. "I have no control over, or visibility into, that infrastructure. I can only tell you it isn't operated by me or by NetNut."
But in a separate Popa research report [synthient.com] released today, the proxy-tracking company Synthient said a recent analysis of the Popa SDK revealed outbound traffic clearly associated with NetNut.
"The research team assesses with high confidence that devices running Popa forward traffic from Netnut clients," Synthient wrote. "This proves without a shadow of a doubt that Popa actively continues to be used by NetNut as part of their proxy pool."
Alarum Technologies, NetNut's Tel Aviv-based parent company, said the reports by Synthient and Qurium contained "demonstrably inaccurate assertions and flawed deductions rather than verified facts." Alarum shared a statement saying they reject the basic characterization of the SDKs and technologies discussed in the reports as a "botnet."
"The SDKs at issue are designed to facilitate bandwidth-sharing functionality and do not transform user devices into malware-controlled systems or otherwise compromise the devices on which they operate," the statement reads. "Netnut operates a commercial proxy network and maintains policies, procedures, and technological measures designed to promote lawful and responsible use of its services."
Alarum said NetNut places "significant emphasis on appropriate notice and consent mechanisms, conducts customer due diligence, monitors for potential misuse, and takes steps intended to detect and mitigate suspicious or unauthorized activity."
[...] "What especially makes Popa dangerous is just how widely used NetNut is for reselling and sharing," Formosa said, explaining that many other proxy services simply resell NetNut proxies rather than building out their own far-flung proxy networks. "So these Popa IPs appear in tons of different services all over the ecosystem, which makes it one of the most problematic and dangerous proxy botnets on the market currently."
Formosa said the Popa botnet averages between 1.5 million to 2.5 million distinct IP addresses each day, relying on between 250 and 300 Internet addresses that are used to direct its activities.
"That's why Popa is so dangerous," Formosa said. "It may not be the largest botnet we have seen, but it is spread all over the industry, making its power very amplified."
[...] Experts say many of the world's largest proxy providers have updated their public-facing branding to highlight their utility for training AI platforms, implying it is a primary use case for their residential proxies. That's because AI services tend to rely on constantly mass-scraping the Internet for new text, images and video content that can be used to train large language models (LLMs).
[...] Even households without these sketchy TV boxes can still have their smart TVs turned into residential proxy nodes, just by downloading one of thousands of apps made available on Samsung and LG smart TVs. Spur said it recently scraped the LG and Samsung app stores and found that each had approximately 3,000 apps available for download. Many of these apps are simple games or utilities that state in the fine print that the user's Internet connection will be used to download data and that they can opt out at any time.
Spur said it found that more than 42 percent of apps available for download via the webOS operating system on LG smart TVs include SDKs that turn one's television into an always-on residential proxy node. More than a quarter of the apps made for Samsung's Tizen operating system had similar residential proxy components, Spur found.
[...] Experts say it's questionable whether TV apps with proxy SDKs can obtain meaningful consent from users for installing an always-on proxy connection, particularly when anyone in a household — including children — can effectively opt the family TV into a residential proxy network just by installing a simple game or app.
"Privacy-policy disclosure is the wrong control surface for a TV," Include Security wrote. "It is hard to scroll through a legal document navigated by arrow keys on a remote, and the in-app consent dialog doesn't convey that a paying customer is about to route their scraping traffic through the user's home internet."
Spur's head of research Sean Simmons told KrebsOnSecurity that most people do not have a working mental model for what it means to sell access to their residential IP address, no matter what device they are using.
"And on a TV, the gap is even wider," Simmons said. "A one-time prompt navigated with a remote can disappear into the setup flow, while the app keeps monetizing the connection long after anyone remembers what they accepted."
Apps that turn one's device into a residential proxy node are not limited to smart TVs and no-name streaming boxes, of course. As noted by the security firm Infoblox, mobile app developers can embed SDKs provided by the residential proxy networks into their products to monetize their software, allowing them to receive a small amount of money on each installation.
The result, Infoblox said, is that devices are frequently enrolled without the owner's knowledge, typically through free applications such as VPNs, streaming apps, screensavers and "productivity" apps such as PDF viewers and break reminders.
All too often, these proxy services are beaconing out from employee devices brought into the workplace, Infoblox found. In a blog post earlier this month, Infoblox said it discovered that fully 65% of its customer base was querying one or more residential proxy related domains.
[...] "If threat actors were to abuse the residential proxy to attack a third party, the third party's incident response would, correctly, identify your residential proxy as the source," they wrote. "Untangling that, by proving that you were the conduit and not the threat actor, costs time, creates legal exposure, and can damage your reputation. The stunning prevalence of these services within customer environments warrants attention from both network defenders and policy makers who should consider how the risks posed by residential proxies could be impacting their security posture."
