A large-scale Android botnet called Popa has spent at least four years silently enrolling consumer TV boxes into a residential proxy network used for advertising fraud, account takeovers, and large-scale data scraping. This week, researchers at proxy-tracking firm Synthient and media-freedom organization Qurium independently published findings linking Popa’s infrastructure to NetNut, a residential proxy provider owned by the publicly traded Israeli company Alarum Technologies (NASDAQ: ALAR).

What Popa Does

Unlike botnets built for destructive ends such as distributed denial-of-service attacks, Popa is engineered for one purpose: creating a persistent, encrypted communications layer on infected devices. Security experts describe it as a plugin component of the broader Vo1d malware campaign, which targets unofficial Android TV boxes sold under thousands of brand names across major e-commerce platforms. These devices typically promise unlimited access to subscription streaming services for a one-time fee, but often arrive pre-installed with software that turns the buyer’s home IP address into a rentable proxy node.

Researchers note that some of these proxy networks provide little protection against malicious customers who may attempt to reach other systems on the local network of the unknowing device owner.

How Researchers Connected Popa to NetNut

Early infrastructure clues appeared in a 2025 report by Chinese security firm XLAB, which identified at least nine domains used to register and coordinate compromised Popa devices. Qurium followed that thread in May 2026 after its hosted organizations were targeted by a scraping campaign distributed across more than 1.4 million IP addresses. Qurium identified several dozen Popa command-and-control domains hosted in parallel over time, including gmslb[.]net, safernetwork[.]io, tera-home[.]com, and ninjatech[.]io.

The gmslb[.]net domain appeared embedded in numerous pirated and modified streaming applications such as CRICFy, DooFlix, Sprozfy, RTS Tv, Flixoid, CyberFlix, Rapid Streamz, TvMob, and HD/OceanStreams.

Most of the original Popa control domains were seized or taken down in July 2025 as part of a coordinated disruption of the Badbox 2.0 botnet by Google, HUMAN Security, and Trend Micro. Qurium noted that new control domains were registered almost immediately afterward, and that one domain, ninjatech[.]io, was not new. Public records and a job-board listing traced Ninjatech to Moishi Kramer, identified on LinkedIn as vice president of research and development at NetNut, where he is credited with helping build the company’s architecture from the ground up before its acquisition by Alarum Technologies.

Competing Claims on Active Use

Kramer, responding by email, said Ninjatech ceased operations roughly five years ago and that the Popa SDK was originally designed to use a small slice of device bandwidth only after the host application obtained user consent. He stated the code was sold and licensed to third parties and that neither he nor NetNut currently operates the described infrastructure.

Synthient disputes that account. After analyzing the Popa SDK, Synthient said outbound traffic from infected devices was clearly associated with NetNut clients. The firm stated it assesses with high confidence that devices running Popa actively forward traffic from NetNut’s proxy pool.

Alarum Technologies rejected the characterizations in both the Qurium and Synthient reports, calling them demonstrably inaccurate. The company said its SDKs facilitate bandwidth sharing and do not transform devices into malware-controlled systems, and that NetNut operates a commercial proxy network with established policies and procedures.

Broader Risk Context

The Popa case illustrates a recurring tension in the residential proxy industry: the line between a legitimate bandwidth-sharing SDK and botnet infrastructure can be difficult to draw when software is relicensed or redistributed without oversight. The FBI and security researchers have warned repeatedly that low-cost Android streaming devices frequently bundle software that monetizes users’ home IP addresses without meaningful disclosure, and that the proxy traffic generated can enable serious downstream abuse.