THE Popa botnet, operating via compromised Android-based TV boxes, has been linked to advertising fraud, data scraping, and account takeovers. Researchers found ties between Popa and NetNut, a residential proxy service owned by Alarum Technologies. Popa distinguishes itself from typical botnets by creating persistent, encrypted communication channels instead of engaging in destructive activities.
The botnet has proliferated through unofficial TV boxes that often come pre-installed with software enabling them to act as residential proxies, allowing malicious users to route traffic through these devices. Reports indicate that new domains controlling Popa were created after previous ones were seized, with some domains associated with Ninjatech, linked to NetNut's research VP.
Alarum Technologies denied any association with the illegal activities attributed to Popa, asserting their operational integrity and KYC policies. However, analyses show Popa continues to support NetNut's proxy services. The broader implications involve a concerning trend where AI training initiatives leverage these proxy networks for mass data scraping, disrupting service for legitimate users, while many smart TV applications unknowingly enroll devices into these proxy systems.