العودة إلى المدونة
Consumer SecurityCybercrimeNetwork Security

Popa Botnet Shows the Hidden Risk in Cheap Streaming Boxes

KrebsOnSecurity reported that researchers linked the Popa Android botnet to NetNut, showing how consumer TV boxes can become persistent residential proxy nodes.

Author
ECEvolving Cyber
Published
Jun 18, 2026
Reading Time
7 min read
Streaming box and remote control on a white surface
Supporting image: streaming box and remote control.

On June 18, 2026, KrebsOnSecurity reported that researchers from multiple security firms linked Popa, an Android-based botnet, to NetNut's residential proxy ecosystem. Krebs described Popa as a persistent communications layer running on consumer TV boxes and similar devices, designed to register the device, maintain encrypted connections, and open tunnels on demand.

This is one of the clearest consumer-to-enterprise security stories of the summer. A cheap streaming box in a home can become part of an infrastructure layer used for account takeover, ad fraud, scraping, and other abuse.

Why this matters

Many unofficial Android TV boxes are marketed as low-cost streaming devices. The security problem is that some arrive with preinstalled or bundled software that turns the device into a proxy node. The owner may not understand that third-party traffic is being routed through their home IP address.

For attackers, that is valuable because traffic appears to originate from normal residential networks. For defenders, it makes source-based blocking harder. For device owners, it can expose the home network to unwanted traffic and reputational damage.

Qurium's linked investigation gave the story more technical depth. Qurium said a large scraping event against hosted organizations involved roughly 1.35 million unique IP addresses across more than 7,300 autonomous systems and 223 country codes. Its report described Popa as an architecture that enrolls devices into a residential proxy network and uses domains such as gmslb[.]net, safernetwork[.]io, tera-home[.]com, and ninjatech[.]io to bootstrap and redirect devices toward backend tunnel servers.

Synthient's linked research added that Popa variants were found inside streaming, IPTV, and utility apps, and that samples it analyzed began relaying traffic when the host app launched without an informed-consent prompt. Synthient also reported a controlled test in which traffic sent through NetNut's commercial gateway exited from a device running Popa.

Infoblox added the enterprise angle: residential proxy indicators were seen across customer environments, including government, banking, pharmaceutical, and food and beverage customers. That matters because proxyware is not only a home-network problem. It can show up inside corporate networks through employee devices, unmanaged applications, and shadow IT.

Technical pattern to watch

The Popa model is useful for defenders because it gives concrete detection ideas:

  • DNS lookups to known Popa bootstrap domains.
  • Android TV boxes, Firesticks, or smart TVs communicating with unusual proxy infrastructure.
  • Consumer apps that immediately open long-lived encrypted connections at launch.
  • Unexpected outbound traffic from IoT or entertainment devices.
  • Corporate DNS telemetry showing residential proxy domains from endpoints or guest networks.

What users and teams should do

  • Avoid unknown or unofficial Android TV boxes with preloaded piracy apps.
  • Keep streaming devices and routers updated.
  • Segment untrusted IoT devices from work laptops and sensitive systems.
  • Watch for unexplained bandwidth use from home networks.
  • For enterprise identity systems, detect behavior rather than trusting residential IPs.
  • Include consumer device hygiene in remote-work security guidance.

The takeaway

The Popa story shows how the boundary between consumer electronics and cybercrime infrastructure keeps getting thinner. If a device is always online, poorly governed, and cheap to distribute, attackers will try to turn it into infrastructure.

Sources