Researchers Tie ‘Popa’ Android Botnet to NetNut Proxy Network, Company Disputes Claims
Security researchers say a long-running Android botnet known as Popa may be connected to NetNut, a residential proxy service operated by publicly traded Israeli company Alarum Technologies Ltd. The fi...
Security researchers say a long-running Android botnet known as Popa may be connected to NetNut, a residential proxy service operated by publicly traded Israeli company Alarum Technologies Ltd. The findings come from separate reports by Qurium and Synthient, both of which examined infrastructure associated with the malware campaign.
According to the researchers, Popa has spent years turning consumer streaming boxes into nodes that relay internet traffic for activities ranging from advertising fraud to account abuse and large-scale scraping. The infected devices appear to be part of a wider malware ecosystem tied to Vo1d, a campaign that targets unofficial Android-based TV boxes sold under many names online.
How the network works
Researchers describe Popa as a component that helps compromised devices maintain encrypted connections and accept commands over time. Rather than behaving like a destructive botnet, the malware is said to support a persistent communications layer that can be used to register devices and open tunnels when needed.
Qurium said it identified multiple control domains linked to the operation, including domains that were hosted across different IP addresses over time. Some of those domains appeared in pirated or modified streaming apps, according to the report.
The researchers also noted that many of the earlier domains used in the campaign were disrupted in July 2025 during broader takedowns involving Google, HUMAN Security and Trend Micro. After that action, new domains were registered, but one domain of interest, ninjatech.io, was already associated with a company founded by Moishi Kramer.
Company response and dispute
Kramer, who is listed on LinkedIn as vice president of research and development at NetNut, said his former software development kit was sold and licensed years ago and that neither he nor NetNut operates the infrastructure now being described as Popa. He said he has no control over the relevant domains and was not involved in registering recent ones.
Alarum Technologies rejected the reports as inaccurate and said its proxy products are meant for lawful bandwidth-sharing use. The company said it applies customer vetting, consent mechanisms and technical controls intended to limit abuse.
That position is contested by other proxy researchers. In a separate report, Spur said NetNut does not impose meaningful corporate verification before selling proxy access and argued that resellers can repack the same proxy pool under different brands.
The conflicting accounts highlight ongoing scrutiny of residential proxy services, especially when consumer devices are used to carry commercial traffic without clear user awareness or consent.
