The FBI, in partnership with Google and other technology companies, has dealt a major blow to NetNut, a public residential network proxy service that secretly hosted a botnet controlling approximately 2 million Android TVs and similar smart home devices. The network was used for password spraying, credential attacks, and other malicious activities.
Residential proxy botnets make malicious traffic appear like normal Internet usage, allowing cybercriminals to secretly hijack everyday devices to conduct illegal activities using your home Internet. Infected home devices were often preloaded with malware used by the botnet, making traditional home security practices less effective in detecting and stopping the problem.
According to an FBI statement emailed to CNET, on July 2, the federal agency conducted “a court-authorized seizure of multiple domains as part of a coordinated law enforcement action with the Department of Justice and IRS Criminal Investigation, targeting infrastructure associated with the NetNut residential proxy platform, its administrators, and its users.”
Authorities worked in tandem with Google, Lumen Technologies and the Shadowserver Foundation to go after NetNut and its services, also known as the Popa botnet by security researchers. Google said in a blog post that these actions “caused significant degradation of NetNut’s proxy network and business operations, reducing the number of devices available to the proxy operator by millions.” NetNut’s website now displays an FBI takedown notice.
Google has acknowledged that removing NetNut is only the first step. Since these proxy networks frequently share and resell access to their respective botnets, disruption of one provider often leads bad actors to simply purchase capacity from a competitor. To create a lasting impact, Google said it needed to “target the infrastructure of multiple interconnected providers simultaneously.”
The official NetNut website was taken down with this seizure notice instead.
The FBIHow this botnet worked
In 2024, security researchers at XLab discovered the Vo1d botnet, a massive collection of hacked, mostly off-brand Android TV devices. If you remember the fake AI video of Donald Trump and Elon Musk appearing on TVs at the Department of Housing and Urban Development, it was most likely caused by a malicious actor using the Vo1d botnet.
These same researchers also discovered Popa, a legitimate network protocol plugin that turns consumer devices into residential proxy nodes with user consent. But the version researchers found was installed on hacked Android TV devices without user consent. According to the FBI, a residential proxy node is “an intermediary server between individuals and the websites they visit to make it appear as if their connections are originating elsewhere.”
Residential proxy networks are legal in the United States, and companies using them typically sell access to business clients, where they are often used for security penetration testing, ad verification, marketing data collection, and unlocking geo-locked websites. Since residential nodes use real IP addresses of someone’s home, the business or person using the node is seen by the World Wide Web as just an ordinary user and their true identity is hidden.
Android TV devices that were part of the Vo1d botnet and infected with Popa allowed cybercriminals to carry out attacks, scrape data from infected devices for sensitive information such as passwords, and even hijack the device to perform malicious tasks, all while the hacker appeared to be coming from the house across the street or apartment across the street without actually being there.
This is where NetNut comes in. NetNut is a public residential proxy network operator owned by Alarum Technologies, a publicly traded company in Israel. According to Google, it was one of the largest residential proxy network operators in the world.
On the surface, NetNut appeared to be a legitimate company and even had an official website where you could purchase its services. However, late last month, several researchers confirmed that the traffic generated by the Popa botnet came from NetNut users. This meant that NetNut was effectively selling its botnet to everyone, for both legitimate and illegitimate uses, providing authorities with enough evidence to bring the company down.
Stay safe from the next attack
The good news is that it’s actually quite simple to make sure you’re not part of the next Android TV-powered botnet. According to Google and security researchers, the overwhelming majority of hacked devices were unnamed Android TV streamers that you can find for free on Amazon, Temu, AliExpress and other online outlets.
Many of these streaming sticks and boxes are pretty cheap, but they work. The problem is that almost all of them are using older versions of Android, which are easier to hack since these devices lack the modern protections offered by newer versions.
Some brands sell streaming boxes that promise free streaming without a subscription. These are often advertised on Instagram and TikTok by new influencers who claim to offer a subscription-free streaming TV solution. Security researchers found that many of these streamers were pre-hacked with botnet software installed out of the box.
So, the first step to avoid becoming part of a botnet is to only purchase Android TV devices from reputable companies like Sony, Nvidia, Google and others. Try buying one that runs a modern version of Android and still receives security updates. You should also avoid “one price, no subscription” boxes on social media, as they almost certainly contain pre-installed malware.
Botnets like this are not unique to Android TV. Smart home devices are also routinely included in botnets. So the second step to keeping yourself safe is to make sure you apply all of the tips above to your smart home products as well. You should also stay up to date with the latest trends, like promptware, a new type of malware that hijacks your devices by instructing onboard AI to do so on the hacker’s behalf.
This incident reminds us to be wary of cheap, low-quality technology peddled by influencers – otherwise you risk having your personal credentials stolen. The usual array of things helps, too, like making sure you have a strong password, learning to avoid phishing emails, and not revealing personal information to suspicious characters online.




























