Google and FBI Dismantle NetNut Residential Proxy Network
A joint operation led by Google's Threat Intelligence Group (GTIG) and the FBI has disrupted NetNut (also known as "Popa"), a residential proxy network that granted cybercriminals and espionage groups access to approximately 2 million compromised Android devices. Additional partners included Lumen Technologies, the Shadowserver Foundation, and the IRS Criminal Investigation division.
The operation targeted NetNut's command-and-control infrastructure, seized hundreds of domains, and disabled linked Google accounts used for C2 communications — effectively severing the connection between the network operators and the compromised devices.
What NetNut Was
NetNut was operated by Israeli company Alarum Technologies (NASDAQ: ALAR) and functioned as a residential proxy service. It sold access to exit nodes on compromised home and consumer devices, allowing subscribers to route internet traffic through legitimate residential IP addresses — masking their true origin.
This capability is prized by:
- Cybercriminals evading IP-based detection
- Nation-state operators conducting espionage
- Ad fraud operators
- Credential stuffing and account takeover attackers
How Devices Were Compromised
Two primary infection vectors were identified:
| Vector | Description |
|---|---|
| Pre-installed malware | Devices arrived with malicious proxy software already embedded in firmware before purchase |
| Trojanized apps | Users downloaded apps containing hidden residential proxy SDKs with no user disclosure |
Researchers found that over 20% of Samsung Tizen apps and 42% of LG webOS apps examined contained a residential proxy SDK that operated without user consent. The Badbox 2.0 botnet was among the mechanisms used to deliver proxy plugins to devices.
Affected Device Types
- Android-based smart TVs
- Android streaming boxes and sticks
- General residential Android devices (phones, tablets)
Scale of the Operation
| Metric | Detail |
|---|---|
| Devices enrolled | ~2 million |
| Infrastructure seized | Hundreds of C2 domains |
| Google accounts disabled | NetNut-linked accounts used for C2 |
| Google Play Protect | Updated to block apps containing NetNut SDKs |
| Intelligence shared | SDK and infrastructure data shared with platform providers and law enforcement |
Why Disruption Is Difficult
The operation is significant, but security researchers caution that the underlying problem persists. When Google disrupted NetNut's largest competitor IPIDEA in January 2026, that network rebuilt to pre-disruption device counts within a single day — underscoring how deeply embedded proxy SDKs are in the consumer device supply chain.
The compromised devices themselves are not remotely wiped or restored. Unless users update firmware or factory reset their devices, the malware remains installed. The disruption targets network infrastructure, not endpoint compromise.
What Happens to Affected Devices
- Devices remain infected unless users take action (firmware update or factory reset)
- The C2 channels are cut, meaning devices cannot receive new instructions or route traffic for NetNut operators
- Google Play Protect now actively blocks apps with NetNut proxy SDKs
- No automated remediation was pushed to consumer devices
Recommendations
For consumers:
- Check whether your smart TV or streaming device received unsolicited firmware updates
- Perform a factory reset if you suspect your device may be a Badbox-family device
- Purchase smart TV and streaming devices from established retailers — gray-market devices are disproportionately affected
- Review app permissions on Android TV and connected TV platforms
For organizations:
- Block residential proxy ASNs known to be affiliated with NetNut and similar services in your threat feeds
- Investigate anomalous outbound traffic from smart TVs or streaming devices on corporate networks
- Review vendor firmware provenance for consumer devices deployed in conference rooms or lobby displays
Key Takeaways
- 2 million devices enrolled in the NetNut residential proxy network have been cut off from C2
- Joint operation by Google GTIG, FBI, Lumen, Shadowserver, and IRS-CI seized hundreds of domains
- Infection vectors include pre-installed firmware malware and trojanized TV apps
- Devices remain infected — the operation disrupts infrastructure, not endpoints
- The residential proxy ecosystem has demonstrated rapid rebuild capability — sustained enforcement is required
References
- BleepingComputer — NetNut Proxy Network Disrupted
- The Hacker News — Google Disrupts NetNut Residential Proxy Network
- SecurityWeek — Google, FBI Disrupt NetNut Residential Proxy Network
- Krebs on Security — FBI Seizes NetNut Proxy Platform, Popa Botnet
- Google Cloud Blog — Google's Continued Disruption of Malicious Residential Proxy Networks