‘#Popa’ #Botnet Linked to Publicly-Traded Israeli Firm

https://krebsonsecurity.com/2026/06/popa-botnet-linked-to-publicly-traded-israeli-firm/

#cybercrime #cybersecurity #Israel

"For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut, a “residential proxy” provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR].

Malicious streaming devices sold online that enroll the user's home Internet address in a residential proxy service. Image: Synthient. Pictured are 8 different TV boxes, including the X96 Mini Box, stick, and other no-name brands.

Popa is a massive botnet, but by all accounts it is unlike traditional botnets that enlist compromised systems in destructive activities, such as coordinating huge distributed denial-of-service attacks. Rather, Popa appears designed with a singular purpose: Implementing a persistent communications layer capable of registering a device, maintaining long-lived encrypted connections, and opening communication tunnels on demand.

Experts say Popa is a plugin component associated with the Vo1d botnet, a large-scale malware campaign targeting unofficial Android-based TV boxes. These devices, which are marketed under thousands of brand names and model numbers and broadly available for purchase at top e-commerce destinations, all advertise the ability to stream hundreds of subscription video services for an up front one-time fee.

But as the FBI and security industry experts have warned repeatedly, these streaming boxes typically bundle or come pre-installed with software that turns the user’s TV into a “residential proxy” — allowing anyone to route their Internet traffic through that device..."

https://krebsonsecurity.com/2026/06/popa-botnet-linked-to-publicly-traded-israeli-firm/

#CyberSecurity #Botnet #Android #POPA #Malware

‘Popa’ #Botnet Linked to Publicly-Traded #Israeli Firm

For the past four years, a sprawling Android-based botnet called #Popa has forced millions of consumer TV boxes to relay Internet traffic linked to #advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple #security firms concluded that the Popa botnet is linked to #NetNut , a “residential proxy” provider operated by the publicly-traded Israeli firm #Alarum Technologies Ltd [NASDAQ: ALAR].

https://krebsonsecurity.com/2026/06/popa-botnet-linked-to-publicly-traded-israeli-firm/

New, from me: 'Popa' Botnet Linked to Publicly Traded Israeli Firm

"For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut, a “residential proxy” provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR]."

https://krebsonsecurity.com/2026/06/popa-botnet-linked-to-publicly-traded-israeli-firm/

There is an incredible amount of interesting data and findings in the reports on Popa released this week. For example, the proxy detection service Spur told me they recently scraped the LG and Samsung app stores and found that each had approximately 3,000 apps available for download. Spur said it found that more than 42 percent of apps available for download via the webOS operating system on LG smart TVs include SDKs that turn one’s television into an always-on residential proxy node. More than a quarter of the apps made for Samsung’s Tizen operating system had similar residential proxy components, Spur found.

#proxy #popa #botnet #lg #samsung

RE: https://infosec.exchange/@deepfield/116772203815468059

Unraveling #Popa (and always more interesting when research intersects with other partners, in this case Qurium, @synthient
and @briankrebs)

#threatintel

New, from our ERT: what happens when you disconnect from that free VPN app, loaded with a residential proxy SDK that talks to the Vo1d/Popa infrastructure.

https://github.com/deepfield/public-research/blob/main/reports/2026-06-18-robovpn-neunative.md

#threatintel #popa