Popa Botnet Pulls Alarum Into Android TV Proxy Scandal

Popa botnet research now puts a publicly traded Nasdaq company inside a fight over whether millions of cheap Android TV boxes became commercial proxy infrastructure without clear user consent. That matters first to device owners, but it also lands on proxy buyers, smart-device importers, auditors, and investors in Alarum Technologies Ltd [NASDAQ: ALAR], the parent of NetNut.

For the past four years, Popa has allegedly forced consumer TV boxes to relay internet traffic tied to advertising fraud, account takeovers, and mass data scraping, according to Krebs on Security. Researchers from multiple security firms now say Popa is linked to NetNut, a residential proxy provider operated by Alarum.

XOOMAR analysis: the sharpest issue here is not whether residential proxies can have legitimate uses. They can. The issue is source integrity. If the researchers are right, a commercial proxy pool may have drawn power from household devices whose owners did not meaningfully understand, approve, or control the traffic moving through their networks.

Popa Turns Cheap Android TV Boxes Into a Corporate Proxy Problem

The story starts with a familiar bargain: cheap streaming hardware promising access to video services for an up-front fee. The reported trade-off is uglier. Security researchers say those same Android-based TV boxes can become traffic relays, enrolling household internet connections into proxy networks while the owner sees only a device plugged into the wall and connected to Wi-Fi.

Who carries the risk when a living-room device becomes an exit node for someone else’s traffic?

Popa is described as a component tied to Vo1d, a large malware campaign targeting unofficial Android TV boxes. Krebs reports that these devices are sold under thousands of brand names and model numbers, and are broadly available through major e-commerce destinations. The devices often advertise access to subscription video services for a one-time payment.

The alleged link to NetNut raises the stakes because this is not just a malware-cleanup story. NetNut sits under Alarum Technologies, a public company. That turns a technical sourcing dispute into a governance question: how does a public proxy business prove that the bandwidth it sells comes from devices with valid consent?

Alarum rejects the characterization. The company said the reports from Synthient and Qurium contained “demonstrably inaccurate assertions and flawed deductions rather than verified facts,” and said it rejects calling the SDKs and technologies a “botnet.”

“The SDKs at issue are designed to facilitate bandwidth-sharing functionality and do not transform user devices into malware-controlled systems or otherwise compromise the devices on which they operate,” Alarum said.

That statement draws the central line in the case. Researchers are describing abuse infrastructure. Alarum is describing bandwidth-sharing technology with controls.

Inside the Popa Botnet: How Android TV Boxes Became Traffic Relays

Popa is not described as a classic botnet built mainly for destructive campaigns like huge DDoS attacks. Krebs says Popa appears built for a narrower job: registering devices, keeping long-lived encrypted connections active, and opening communication tunnels when needed.

That design matters. A residential proxy network becomes more valuable when its nodes stay online, look like ordinary home connections, and can route traffic on demand. A cheap Android TV box fits that profile if it remains plugged in and rarely gets inspected by its owner.

Why TV boxes make useful proxy hosts

The source material points to several practical advantages for attackers or opaque bandwidth suppliers:

• Persistence: TV boxes often sit powered on for long periods.
• Residential IPs: Traffic appears to come from real homes rather than data centers.
• Low visibility: Owners may not monitor outbound connections from a streaming device.
• Distribution: Devices are sold under many brands and model numbers.
• Software bundling: Krebs cites warnings that these boxes can bundle or arrive with proxy-enabling software.

The abuse cases are not theoretical in the reporting. Popa-linked traffic has been associated with advertising fraud, account takeovers, and mass data scraping. Qurium said it encountered related domains while investigating disruptive and expensive scraping events in May 2026, with activity spread across more than 1.4 million Internet addresses.

A legitimate residential proxy service and a botnet-powered proxy pool may look similar from the outside because both can route traffic through home IP addresses. The difference is consent, transparency, control, and proof.

XOOMAR analysis: this is why Popa matters beyond one set of domains. If proxy buyers cannot audit where traffic originates, they inherit hidden legal, security, and reputational exposure.

The Numbers Behind Popa, NetNut, and Alarum’s Exposure

The reported scale is the reason the Popa botnet allegation is so damaging. Krebs describes a four-year operation involving millions of consumer TV boxes. Black Lotus Labs researcher Chris Formosa told Krebs that Popa averages between 1.5 million to 2.5 million distinct IP addresses each day, relying on between 250 and 300 Internet addresses used to direct activity.

How many homes have to be involved before “bandwidth sharing” becomes a public-company disclosure problem?

Jérôme Meyer of Nokia Deepfield gave another view of the scale. He said Nokia is monitoring 26 of at least 359 known relay nodes for the botnet and estimates that each relay node handles between 35,000 and 60,000 clients simultaneously. On the subset he reviewed, Meyer observed 750,000 unique sources in 24 hours.

Those figures explain why residential proxy abuse can punch through anti-fraud defenses. A large pool of home IP addresses can make automated traffic look less like a campaign and more like scattered human activity. That is the commercial value of residential routing, and also the core abuse risk.

The evidence chain, however, needs careful separation.

• Observed by researchers: domains and infrastructure associated with Popa, including gmslb[.]net, safernetwork[.]io, tera-home[.]com, and ninjatech[.]io.
• Reported by Qurium: gmslb[.]net appeared in pirated or modded video apps including CRICFy, DooFlix, Sprozfy, RTS Tv, Flixoid, CyberFlix, Rapid Streamz, TvMob, and HD/OceanStreams.
• Reported by Synthient: recent Popa SDK analysis showed outbound traffic associated with NetNut.
• Denied by Alarum and Moishi Kramer: that NetNut or Kramer operates or controls the infrastructure described as Popa.

Kramer told Krebs that Ninjatech ceased operations around five years ago and sold an SDK called Popa that was meant to use a small portion of device bandwidth only after user consent.

“That code was sold and licensed to third parties including resellers years ago,” Kramer said. “Once software is distributed that way, the original developer has no control over how others later modify, rebrand, or deploy it.”

That may become the crucial factual dispute: whether current traffic observed by researchers shows active NetNut use of Popa-derived infrastructure, or whether legacy code escaped into third-party deployments outside NetNut’s control.

Security Researchers, NetNut Customers, Device Owners, and Investors See Different Risks

Security researchers see Popa as durable proxy infrastructure hiding behind consumer hardware. Synthient’s language was direct.

“The research team assesses with high confidence that devices running Popa forward traffic from Netnut clients,” Synthient wrote. “This proves without a shadow of a doubt that Popa actively continues to be used by NetNut as part of their proxy pool.”

Alarum disputes that framing and says NetNut operates a commercial proxy network with policies, procedures, and technological measures meant to promote lawful use. The company also said NetNut emphasizes notice and consent, customer due diligence, monitoring, and steps to detect suspicious or unauthorized activity.

Customers face a different problem. Even if they buy proxy access for lawful business reasons, they need confidence that the IP supply is clean. If traffic provenance is murky, the customer can become entangled in scraping claims, fraud investigations, or abuse-blocking decisions made by platforms and network defenders.

What proof should a proxy buyer demand before routing business traffic through a residential pool?

Device owners have the least information and the most personal exposure. If their TV box is relaying third-party traffic, they may see slower connections, higher data use, ISP warnings, or suspicious activity tied back to their home IP. Krebs also reports a more serious concern: some proxy networks do little to stop malicious customers from communicating with or compromising systems on the local network of the device owner.

Investors have to read this as a controls question. Alarum is publicly traded, which means allegations about NetNut’s supply chain are not just technical noise. They can affect customer trust, disclosure scrutiny, and confidence in how the company validates its revenue inputs.

This is similar in business risk shape to the access-control failures we covered in 74,000 Fortinet Logins Spill in FortiBleed Data Leak: once trust breaks at the infrastructure layer, the damage moves quickly from security teams to executives, customers, and boards.

Residential Proxy Scandals Keep Repeating the Same Consent Failure

Popa fits a recurring pattern in proxy controversies: businesses want authentic residential IPs, intermediaries search for cheap supply, software gets bundled into consumer apps or devices, and users rarely understand the bargain.

Where does consent end if the user never sees the real commercial chain behind the device?

The Krebs report notes that most domains long used to control Popa were seized or dismantled in July 2025, after Google, HUMAN Security, and Trend Micro disrupted Badbox 2.0, a botnet closely associated with Vo1d. Qurium said new controller domains appeared immediately after that disruption, while one control domain, ninjatech[.]io, was not new.

That sequence suggests resilience. When domains were taken down, replacement infrastructure allegedly appeared. That is not how a clean, user-facing consent product usually behaves. It is how traffic supply systems survive disruption.

The reporting also connects Popa to a wider shift in botnet economics. Older botnets were often judged by spam volume or DDoS firepower. Popa’s alleged utility is subtler: it can provide residential routing for fraud, scraping, and account abuse. That kind of infrastructure does not need to knock a site offline to be profitable. It just needs to make automated traffic look human enough to pass basic filters.

Krebs also cites IPIDEA, a China-based proxy provider that previously operated a daily pool of nearly 10 million devices resold as proxies. Synthient research published in January 2026 showed that multiple new large DDoS botnets had grown by tunneling through IPIDEA proxies into local networks of TV box owners and infecting other Android devices behind the firewall. Google and industry partners later took legal action to seize domain names used by IPIDEA to control devices and proxy traffic.

XOOMAR analysis: Popa’s lesson is not that every residential proxy is illegitimate. It is that the proxy industry’s weakest point is auditable consent. If a provider cannot show where the bandwidth came from, how the user opted in, and how the user can opt out, buyers should treat the traffic as contaminated until proven otherwise.

What Popa Means for Proxy Buyers, Smart Device Makers, and Public Tech Companies

Enterprise proxy buyers should treat residential IP sourcing as a due diligence issue, not a procurement footnote. Contracts should require consent records, traffic provenance, abuse controls, reseller mapping, and independent audit rights. A customer that only asks for volume and price is ignoring the central risk.

What would weaken the Popa thesis? Clear evidence that the observed traffic does not originate from NetNut customers, that affected SDK deployments had valid consent, or that third-party resellers controlled the questionable infrastructure without NetNut involvement.

Smart-device makers and importers face a different obligation. Cheap Android hardware needs stronger firmware signing, update pipelines, app vetting, and post-sale security support. If a device ships with bundled software that can quietly monetize bandwidth, the manufacturer or importer may become part of the abuse chain even if the brand name on the box is disposable.

Public tech companies should prepare for harder questions when revenue depends on hard-to-verify traffic supply. Auditors, customers, and investors will want to know whether controls exist on paper or in enforceable systems. That includes customer checks, reseller restrictions, consent logging, abuse response, and the ability to remove suspect nodes fast.

The data-quality lesson also applies beyond cybersecurity. In markets, bad inputs create false confidence, as we discussed in Level 2 Trading Platforms That Expose Costly Data Gaps. In proxy networks, bad traffic provenance can do the same thing. It makes a product look scalable while hiding the risk inside the supply.

The next evidence to watch is narrow and concrete: whether Synthient, Qurium, Lumen, Nokia Deepfield, or other researchers publish additional packet-level findings tying Popa traffic to NetNut customers, and whether Alarum provides verifiable consent and sourcing records that rebut those claims. If the company can document clean supply, the allegation weakens. If more forensic work links Popa nodes to commercial proxy traffic, the story shifts from a disputed research report to a deeper test of how public companies monetize residential bandwidth.

Impact Analysis

• Consumers may unknowingly have smart devices used as exit nodes for suspicious internet traffic.
• Proxy buyers face higher legal and reputational risk if traffic sources lack clear consent.
• Alarum and NetNut could face investor, auditor, and regulatory scrutiny over proxy supply-chain integrity.