Security researchers at Qurium, Synthient, Lumen’s Black Lotus Labs and Nokia Deepfield say an Android proxy operation known as Popa has been routing traffic through consumer devices at large scale, including cheap streaming boxes and smart TV apps. Their reports connect the activity to NetNut, a residential proxy service owned by Tel Aviv-based Alarum Technologies, a publicly traded Israeli company.
The finding matters for users because the device on the shelf may be selling access to the household internet connection. Residential proxy networks let customers send web requests through home IP addresses, which can help bypass anti-bot defenses used by websites. Researchers cited in the reports link that traffic to advertising fraud, account takeovers, bulk scraping and other activity that looks, to the target, as if it came from the subscriber’s home.
Popa is described as a component associated with Vo1d, a malware campaign aimed at unofficial Android TV boxes. The devices are commonly sold under many names and marketed as one-time purchases for access to streaming services. The FBI and security companies have previously warned that such boxes can ship with or download software that enrolls them in proxy networks.
How researchers connected the dots
XLAB, a Chinese security company, reported in 2025 that several domains were used to register and manage compromised devices. Qurium said it later found overlapping domains while investigating scraping attacks in May 2026 that were distributed across more than 1.4 million internet addresses.
Qurium identified control domains including gmslb.net, safernetwork.io, tera-home.com and ninjatech.io. It said gmslb.net appeared inside pirated or modified streaming apps including CRICFy, DooFlix, Sprozfy, RTS Tv, Flixoid, CyberFlix, Rapid Streamz, TvMob and HD/OceanStreams.
Qurium said many Popa domains were taken down or seized in July 2025 after Google, HUMAN Security and Trend Micro acted against Badbox 2.0, another Android TV botnet tied to Vo1d. After that disruption, Qurium said, new controller domains appeared, while ninjatech.io remained notable because Ninjatech was founded by Moishi Kramer, now listed on LinkedIn as vice president of research and development at NetNut.
Kramer told KrebsOnSecurity by email that Ninjatech stopped operating about five years ago and had sold a software development kit called Popa that was meant to use a small share of bandwidth only after user consent. He said third parties, including resellers, later had the code, and that neither he nor NetNut operates the infrastructure now being described as Popa.
Synthient reached a different conclusion. The proxy-tracking company said its analysis of recent Popa code found outbound traffic associated with NetNut and assessed with high confidence that devices running Popa forward traffic for NetNut clients.
Alarum rejects the reports
Alarum said the Qurium and Synthient reports contain inaccurate claims and flawed reasoning. The company rejected calling the SDKs and related technology a botnet, saying they provide bandwidth-sharing functionality rather than malware control. Alarum also said NetNut uses notice and consent mechanisms, customer due diligence, monitoring and technical controls to limit misuse.
Spur, another proxy-tracking service, challenged that picture in a June 8 report. Spur said NetNut does not require meaningful corporate verification before selling proxy access and that resellers can offer access to the same pool with even less scrutiny. Synthient also said that although newer Popa builds added a consent prompt, it did not observe consent requests across more than 20 genuine Popa publishers it analyzed.
Black Lotus Labs researcher Chris Formosa told KrebsOnSecurity that Popa averages 1.5 million to 2.5 million distinct IP addresses per day and uses roughly 250 to 300 addresses to coordinate activity. Nokia Deepfield researcher Jérôme Meyer said Nokia is watching 26 of at least 359 known relay nodes and saw 750,000 unique sources over 24 hours in that subset.
The broader proxy problem is no longer confined to gray-market streaming boxes. Spur said more than 42 percent of LG webOS apps it reviewed and more than a quarter of Samsung Tizen apps contained residential proxy components. Infoblox separately reported that 65 percent of its customer base queried at least one residential-proxy-related domain, creating a corporate risk when employee devices bring those connections into work networks.
This story draws on original reporting from Krebs on Security.