In a significant cybersecurity operation, Google has collaborated with the FBI, Lumen Technologies, and other partners to dismantle the NetNut residential proxy network. This network, also known as “Popa,” is believed to have compromised at least two million home devices globally.
Google’s Measures Against NetNut
Google has taken decisive action by disabling Google accounts and services that were exploited by NetNut for malware command-and-control activities, which breached Google’s Terms of Service. In addition, Google shared crucial technical intelligence on NetNut’s software development kits (SDKs) and command-and-control infrastructure with law enforcement and other technology providers to bolster enforcement efforts across the ecosystem.
Further measures included updating Google Play Protect to automatically warn users and disable apps containing NetNut SDKs, thus enhancing security against future threats on Android devices. This move follows Google’s previous efforts in January 2026 to disrupt the IPIDEA proxy network, underscoring a continued commitment to tackling malicious proxy operators.
Investigative Findings on NetNut Operations
Independent investigations by KrebsOnSecurity have directly linked the Popa botnet to NetNut, a subsidiary of the Israeli firm Alarum Technologies Ltd. The Popa botnet functions within the larger Vo1d botnet, specifically targeting unofficial Android-based TV boxes with pirated apps. Qurium, a security firm, traced the control infrastructure of Popa to domains connected to a former NetNut executive, although he denies current involvement.
Analysis by proxy-tracking firm Synthient revealed that outbound traffic from Popa’s SDKs conclusively ties to NetNut clients. Despite Alarum Technologies contesting the botnet label, proxy-tracking service Spur highlighted a lack of robust corporate verification within NetNut’s operations, allowing easy procurement of proxy access.
Broader Implications and Industry Response
According to Lumen’s Black Lotus Labs, the Popa botnet utilizes around 1.5 to 2.5 million IP addresses daily, managed by approximately 250-300 controller domains. This makes it one of the most widely resold proxy networks in cybercrime. Nokia Deepfield researchers suggest that the actual number of devices involved could be significantly higher.
Google’s Threat Intelligence Group observed multiple threat clusters, including cybercriminal and espionage groups, utilizing NetNut’s infrastructure for malicious activities. The infiltration often occurs through pre-installed malware or hidden SDKs in free apps, posing risks to other devices on the same network.
Google advises consumers to avoid apps that offer compensation for unused bandwidth and to ensure devices are certified by Play Protect before purchase. The company emphasizes the interconnected nature of the residential proxy industry, where operators often resell capacity, and calls for continued industry collaboration to combat these threats effectively.
In conclusion, this operation marks another step in Google’s strategy to disrupt harmful proxy networks by enhancing cross-industry intelligence sharing and coordinated blocking of malicious infrastructures.
