The Hidden Cost of Streaming: How "Popa" Turns Your Smart TV into a Global Proxy Botnet

the-hidden-cost-of-streaming-how-popa-turns-your-smart-tv-into-a-global-proxy-botnet

For the past four years, a sprawling, sophisticated Android-based botnet known as Popa has been operating in the shadows, quietly co-opting millions of consumer TV boxes. These devices, often purchased for their ability to stream pirated content with a one-time fee, serve a dual purpose for their operators: they act as gateways for advertising fraud, account takeovers, and massive, automated data-scraping campaigns.

This week, a coalition of cybersecurity researchers from firms including Qurium, Synthient, and Black Lotus Labs identified a direct link between the Popa botnet and NetNut, a residential proxy provider operated by the publicly traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR]. The discovery sheds light on a dark corner of the digital economy where the line between "bandwidth sharing" and malicious botnet activity has become dangerously blurred.

The Mechanics of the Popa Botnet

Unlike traditional botnets—which are often designed for destructive ends like distributed denial-of-service (DDoS) attacks—Popa is engineered for utility. Its architecture is purpose-built to maintain a persistent, encrypted communication tunnel between the victim’s device and the botnet controller.

When an unsuspecting user plugs in a compromised Android TV box, the device effectively becomes a "residential proxy node." This allows third-party clients to route their Internet traffic through the user’s home network. Because the traffic originates from a residential IP address rather than a known data center, it often bypasses the security filters and rate-limiting protocols used by major websites to block malicious activity.

Experts believe Popa acts as a plugin component for the Vo1d botnet, a larger malware campaign specifically targeting unofficial, white-label Android streaming devices. These boxes, marketed under thousands of disparate brand names, are widely available on global e-commerce platforms. The promise of "free TV" for a flat, upfront fee acts as the perfect lure for consumers, who remain largely unaware that their home network is being weaponized.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

A Chronology of Discovery and Disruption

The digital footprint of the Popa botnet is extensive. The first public alarms were sounded in a 2025 report by the Chinese security firm XLAB, which identified at least nine domain names used to command and control the infected devices.

In May 2026, the security firm Qurium stumbled upon these same domains while investigating a surge of aggressive data-scraping events. The scraping, which hit organizations hosted by Qurium, was distributed with surgical precision across more than 1.4 million unique Internet addresses. Qurium’s investigation revealed that the controllers—including domains like gmslb[.]net, safernetwork[.]io, and ninjatech[.]io—were hardcoded into dozens of popular, modded streaming applications such as DooFlix, CyberFlix, and Rapid Streamz.

The narrative of the botnet took a turn in July 2025, when Google, HUMAN Security, and Trend Micro successfully seized the infrastructure of Badbox 2.0, a botnet closely associated with Vo1d. While many of the original command-and-control domains were dismantled during this operation, the botnet proved resilient. Within days, new controllers were registered—most notably, the reuse of ninjatech[.]io.

The "Ninjatech" Connection

The involvement of ninjatech[.]io has drawn scrutiny to Moishi Kramer, a figure central to the proxy industry. LinkedIn records identify Kramer as the Vice President of R&D at NetNut, a role he stepped into after, by his own account, helping build the company from the ground up.

When contacted, Kramer confirmed he was the founder of Ninjatech but insisted the company had ceased operations approximately five years ago. He claimed that Ninjatech sold a software development kit (SDK) called Popa that was designed for legitimate, consent-based bandwidth sharing.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

"That code was sold and licensed to third parties including resellers years ago," Kramer stated in an email. "Once software is distributed that way, the original developer has no control over how others later modify, rebrand, or deploy it." Kramer explicitly denied any current involvement with the infrastructure, stating, "I didn’t register the June 2025 domains you mention, and I don’t know who did."

However, this assertion is directly challenged by recent findings. Synthient, a proxy-tracking firm, published a report simultaneously with the Qurium findings, asserting that traffic analysis of the Popa SDK shows clear, unmistakable patterns associated with NetNut’s network. "The research team assesses with high confidence that devices running Popa forward traffic from NetNut clients," the report stated. "This proves without a shadow of a doubt that Popa actively continues to be used by NetNut as part of their proxy pool."

Official Responses: "Flawed Deductions" vs. Verified Reality

Alarum Technologies, the parent company of NetNut, has categorically rejected the findings. In a formal statement, the company described the reports as containing "demonstrably inaccurate assertions and flawed deductions rather than verified facts."

Alarum asserts that their SDKs are designed purely for commercial bandwidth sharing and that they maintain rigorous "Know Your Customer" (KYC) procedures. "NetNut operates a commercial proxy network and maintains policies, procedures, and technological measures designed to promote lawful and responsible use of its services," the statement read.

This defense, however, is met with skepticism by industry observers. Spur, a firm specializing in tracking proxy networks, released a report on June 8 alleging that NetNut’s "verified corporations only" marketing claim is little more than a veneer. According to Spur, proxy access can be purchased by anyone with a burner email and a small amount of cryptocurrency, often through downstream resellers who perform zero due diligence.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

The AI Scraping Economy: A Symbiotic Relationship

The surge in Popa’s activity is largely driven by the explosive growth of the Artificial Intelligence (AI) sector. Modern AI models require vast datasets for training, and "scraping" the open web has become a multi-billion-dollar industry.

However, as major platforms like Cloudflare and DataDome implement robust defenses against cloud-based crawlers, AI firms have turned to residential proxies to mask their activity. By routing their traffic through a home user’s IP address, they appear as a legitimate, local visitor, successfully bypassing rate limits and blocking mechanisms.

This has created a massive, unintended consequence for the academic and non-profit sectors. Organizations like the Directory of Open Access Journals (DOAJ) have reported service disruptions as aggressive bots—fueled by residential proxy networks—siphon data at rates that cripple their ability to serve legitimate researchers. As noted by the Confederation of Open Access Repositories (COAR), this is not just a technical nuisance; it is a fundamental threat to the stability of scholarly communication infrastructure.

The Ubiquity of Proxy SDKs

The threat is not confined to obscure streaming boxes. The practice of embedding proxy SDKs into consumer electronics has reached a level of saturation that many security experts find alarming.

A recent audit of the LG and Samsung smart TV app stores by Spur revealed that nearly 42% of apps available on LG’s webOS and over 25% of apps for Samsung’s Tizen OS contain components that turn the television into an always-on residential proxy node. Even if a user does not purchase a "sketchy" streaming box, their high-end, name-brand television could still be silently participating in the same botnet economy.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

The issue of "informed consent" remains the central failure point. "Privacy-policy disclosure is the wrong control surface for a TV," noted Include Security. Navigating complex, legalistic jargon via a remote control is an exercise in futility, and the vast majority of users are never aware that by downloading a simple screensaver or game, they have granted the app developer permission to lease their home internet connection to the highest bidder.

Implications for Corporate and Government Security

Perhaps the most chilling revelation comes from Infoblox, which found that proxy-related domains were present in 65% of its customer environments. This includes sensitive sectors such as pharmaceuticals, banking, and government agencies.

When an employee brings a compromised device—whether a smartphone, a tablet, or a smart TV—into a corporate environment, they inadvertently grant external actors a bridge into the organization’s network. If that proxy is used to launch an attack on a third party, the target’s incident response will inevitably point back to the organization’s IP address.

"Untangling that, by proving that you were the conduit and not the threat actor, costs time, creates legal exposure, and can damage your reputation," warn researchers Nick Sundvall and David Brunsdon.

As the digital landscape becomes increasingly cluttered with these "always-on" nodes, the responsibility for security is shifting. Network defenders are calling for stricter policies from hardware manufacturers like LG and Samsung, urging them to follow the lead of Roku and Amazon, which have taken steps to ban proxy SDKs from their ecosystems. Until then, the Popa botnet and its kin will continue to thrive, silently monetizing the bandwidth of millions of unsuspecting households.