Millions of consumers have brought home cheap Android streaming devices. They promise free access to every major video service for a one-time fee. Yet many of these boxes do far more than stream shows. They quietly turn the buyer’s home internet connection into a node in a vast residential proxy system. Security researchers now tie that system, known as Popa, directly to infrastructure used by NetNut, a proxy service owned by publicly traded Alarum Technologies Ltd.
The revelations landed this week in coordinated reports from independent researchers. They paint a picture of a four-year operation that enlists unofficial TV boxes, phones, tablets and even some smart TVs. These devices register themselves, maintain encrypted tunnels and relay traffic on demand. The traffic supports advertising fraud, account takeovers, credential stuffing and aggressive data scraping. And much of it flows through or benefits NetNut’s commercial proxy pool.
Proxy SDKs Hidden in Streaming Apps
Popa isn’t a classic malware strain that hijacks devices for denial-of-service attacks. Researchers describe it as a persistent communications layer. It registers the device, keeps long-lived encrypted connections alive and opens tunnels when customers request them. The component often ships inside pirated or modded video apps such as CRICFy, DooFlix, Sprozfy, RTS Tv, Flixoid, CyberFlix, Rapid Streamz, TvMob and HD Ocean Streams.
Those apps run on thousands of brand names and model numbers sold across major e-commerce sites. The FBI and security experts have warned about them for years. Buyers get cheap streaming. The sellers get a persistent residential IP address that looks like legitimate consumer traffic. Popa, researchers say, is the plugin that makes the relay reliable.
The first public hints surfaced in a 2025 analysis by Chinese firm XLAB. It flagged nine domains used to register and command compromised devices. Then in May 2026 Qurium Media Foundation began investigating costly scraping attacks aimed at organizations it hosts. The scraping spread across more than 1.4 million distinct IP addresses. Many traces led back to the same set of control domains. Some of those domains had been seized in a major 2025 takedown of the related Badbox 2.0 botnet by Google, HUMAN Security and Trend Micro. One domain survived untouched: ninjatech[.]io.
That domain pointed straight at Moishi Kramer. His LinkedIn profile lists him as vice president of research and development at NetNut. The profile credits him with building NetNut from the ground up, designing its architecture and scaling the business before Alarum acquired it. A listing Kramer created on the F6S job board identified him as sole owner of the Ninjatech domain.
Kramer responded by email. He said Ninjatech shut down about five years ago after selling a software development kit called Popa. The kit, he explained, was meant to consume only a small slice of bandwidth and to run only after the host app received explicit user consent. “That code was sold and licensed to third parties including resellers years ago,” Kramer stated. “Once software is distributed that way, the original developer has no control over how others later modify, rebrand, or deploy it.” He denied that he or NetNut operate the current Popa infrastructure or registered the 2025 domains.
But Synthient saw something different. In its report released the same day, the proxy intelligence firm examined recent Popa samples. It observed clear outbound connections associated with NetNut. “The research team assesses with high confidence that devices running Popa forward traffic from Netnut clients,” Synthient wrote. “This proves without a shadow of a doubt that Popa actively continues to be used by NetNut as part of their proxy pool.” Some samples communicated directly with sdk.netnut.io. None of more than 20 publisher apps examined actually displayed the consent prompt present in version 2.7.46 of the SDK.
Alarum Technologies pushed back hard. The company told KrebsOnSecurity that the reports from Synthient and Qurium relied on “demonstrably inaccurate assertions and flawed deductions rather than verified facts.” It rejected the word botnet entirely. “The SDKs at issue are designed to facilitate bandwidth-sharing functionality and do not transform user devices into malware-controlled systems or otherwise compromise the devices on which they operate,” Alarum stated. The company said NetNut maintains policies, customer due diligence, monitoring and technical controls to promote lawful use. It performs KYC checks and employs measures to detect misuse.
Yet Spur, another proxy tracking service, cast doubt on those controls in a June 8 report. It found that individuals could sign up for NetNut access, pay and route traffic through partner residential space with minimal verification. “An individual can sign up, pay, and route traffic through partner address space, including space belonging to institutions whose users never opted in,” Spur wrote. Downstream resellers often required even less, sometimes nothing more than a burner email and cryptocurrency.
Chris Formosa, senior lead information security engineer at Black Lotus Labs, part of Lumen Technologies, called Popa especially dangerous because NetNut proxies are so widely resold. “What especially makes Popa dangerous is just how widely used NetNut is for reselling and sharing,” he said. Many other services simply resell NetNut rather than build their own networks. As a result, Popa IPs surface across dozens of proxy providers. The botnet averages 1.5 million to 2.5 million distinct IP addresses daily, steered by 250 to 300 control servers. “It may not be the largest botnet we have seen, but it is spread all over the industry, making its power very amplified.”
Jérôme Meyer at Nokia Deepfield offered an even higher estimate. His team monitors 26 of at least 359 known relay nodes. Each node handles 35,000 to 60,000 clients at once. In 24 hours his subset alone saw 750,000 unique sources. Nokia Deepfield also published analysis of RoboVPN, a related app tied to the broader Vo1d campaign that researchers link to the same operators.
The business case is clear. Proxy providers increasingly market their services to artificial intelligence companies that need massive volumes of fresh web data. Training large language models requires constant scraping of text, images and video. Datacenter IPs get blocked quickly by Cloudflare, DataDome, HUMAN and similar protections. Residential IPs from consumer devices do not. Include Security noted in a recent report that proxy SDKs embedded in smart TV apps have become standard infrastructure for the AI scraping economy.
Synthient’s traffic analysis of Popa devices showed video streaming and media domains made up 41 percent of targets. Much of that activity looks like scraping, credential stuffing and botting aimed at streaming services for account takeovers. Advertising fraud accounted for another chunk, inflating traffic to networks run by Google, Microsoft and AppsFlyer. Port 5555, the default for Android Debug Bridge, ranked high in outbound connections, suggesting attackers also use these proxies to pivot into local networks and infect more devices.
Popa is not the only player. IPIDEA, a Chinese proxy service, once commanded nearly 10 million daily devices before Google and partners seized its control domains earlier this year. Synthient had previously shown how new DDoS botnets tunneled through IPIDEA proxies to reach vulnerable Android devices behind home firewalls. Similar patterns continue with newer families.
Yet the Popa case stands out because of the direct corporate ties. A publicly traded Israeli company whose stock trades on NASDAQ under ticker ALAR now must answer detailed technical accusations from multiple independent teams. Alarum insists its SDKs require consent and that it polices misuse. Researchers counter that consent prompts rarely appear, control domains link to a senior NetNut executive, and traffic analysis shows NetNut gateways receiving Popa traffic.
The dispute highlights deeper problems in the residential proxy market. Companies sell access to consumer bandwidth with varying levels of transparency. Buyers range from legitimate market researchers to fraudsters and scrapers feeding AI models. Device owners rarely understand they have joined a proxy pool. When the box sits behind the television, it runs 24 hours a day, burning bandwidth the owner pays for and exposing the local network to inbound risks.
Regulators, platform operators and consumers all face hard questions. Google has taken legal action before. More enforcement may follow. For Alarum and NetNut the immediate challenge is credibility. The researchers’ evidence is technical and specific: domain overlaps, code analysis, traffic flows, executive connections. The company’s response is broad and defensive. Industry observers will watch how both sides respond in the weeks ahead. The millions of infected boxes aren’t going away anytime soon.
WebProNews is an iEntry Publication