In a decisive move against cybercrime, Google has significantly disrupted the NetNut proxy network, which covertly transforms household devices into conduits for external internet traffic. Collaborating with the FBI, Lumen, and other partners, Google’s Threat Intelligence Group (GTIG) announced this week that it has drastically reduced the number of active devices within this network, estimated to comprise millions.
Understanding the NetNut Network
NetNut, also referred to as Popa, is identified as a vast collection of residential devices globally, including smart TVs and streaming gadgets. GTIG estimates that at least 2 million devices were part of this network, serving as gateways for external traffic. This setup allows outsiders to mask their online activities as legitimate home internet usage, thus avoiding detection by security systems.
These devices become ‘exit nodes’ when operators deploy their software onto them, often pre-installed on budget hardware or acquired through seemingly benign applications. Once operational, these nodes permit external traffic to pass through a home’s internet infrastructure, potentially exposing other devices to security threats. Such networks have historically been integrated into larger botnets like Mirai and Badbox 2.0.
Corporate Connections and Controversies
Unlike many proxy botnets, NetNut is linked to a publicly traded entity, Alarum Technologies (NASDAQ: ALAR). Recent research by Qurium, Synthient, Nokia Deepfield, and Spur has connected NetNut to its commercial operations. In testing, Synthient demonstrated that traffic routed through NetNut’s systems emerged from a device enrolled in Popa, aligning with Google’s findings that NetNut and Popa are interconnected.
Alarum Technologies disputes the characterization of NetNut as a botnet, arguing that their software is intended for consensual bandwidth sharing. However, researchers found no evidence of user consent being sought by the numerous applications they analyzed.
Challenges in Network Disruption
Disabling NetNut entirely is complex, given its structure. The network’s reseller model allows various companies to market its services under different brand names, complicating efforts to target it as a single entity. Google emphasizes that this operation is a degradation, not a complete takedown, as previous efforts against similar networks, like IPIDEA, demonstrated their adaptability and resilience.
For consumers, vigilance is key. Avoiding applications that offer compensation for bandwidth sharing can prevent inadvertent participation in such networks. Consumers are encouraged to download apps from reputable sources and use hardware from well-known manufacturers to safeguard their devices from being co-opted.
As Google and its partners continue their efforts, the enduring challenge will be monitoring how NetNut’s operations might re-emerge under new identities, maintaining the need for ongoing vigilance and collaborative cybersecurity initiatives.
