'Popa' Botnet Linked to Publicly-Traded Israeli Firm

Security researchers from multiple firms have conclusively linked the Popa botnet — an Android-based operation that has quietly enslaved millions of consumer TV boxes over the past four years — to a publicly-traded Israeli technology company.

What Is the Popa Botnet?

The Popa botnet is a large-scale Android malware campaign targeting consumer streaming and smart TV devices. Over a four-year period, the operation commandeered infected boxes to relay internet traffic for a variety of illicit purposes:

• Advertising fraud — generating fake ad impressions and click traffic to siphon revenue from advertisers
• Account takeovers — routing credential-stuffing and brute-force attacks through residential IP addresses to evade detection
• Mass data scraping — harvesting content from websites at scale while appearing to originate from legitimate consumer connections

By routing traffic through millions of compromised home devices, Popa effectively turned everyday TV boxes into an anonymous proxy network — a technique commonly used to disguise the true origin of malicious traffic.

Attribution to an Israeli Firm

Researchers at multiple security companies independently converged on the same conclusion after analyzing command-and-control infrastructure, code signing certificates, and business registration records tied to the botnet's backend systems.

The identified company is publicly listed, which raises significant governance and regulatory questions — including how a firm subject to stock exchange oversight and shareholder accountability could be operating infrastructure linked to a criminal botnet for years.

The report, initially published by Brian Krebs of KrebsOnSecurity, drew on export records and technical telemetry to establish the connection.

Why This Matters

The Popa case highlights the "legitimate business" face of some botnet operations. Rather than the classic criminal-gang model, some residential proxy networks are operated by companies that sell "anonymous internet" or "residential IP" services, where the infected devices are technically consented to via deeply buried end-user license agreements — or not consented to at all.

Key implications:

• TV boxes and streaming sticks remain significantly under-protected compared to smartphones and PCs
• Residential proxy abuse is a growing vector enabling fraud, scraping, and credential attacks at scale
• Stock market listing is no guarantee a company is not involved in questionable cybersecurity practices

Protecting Your Devices

Consumers with Android-based TV boxes should consider the following:

1. Factory reset devices periodically, especially after downloading third-party apps
2. Disable sideloading if not required — avoid APKs from unofficial sources
3. Use network-level monitoring (e.g., Pi-hole or router DNS logging) to detect unusual outbound traffic
4. Purchase from reputable brands that provide regular security updates

The Popa investigation is ongoing. Researchers expect further disclosures as the full scope of the operation continues to be mapped.