‘Popa’ Botnet Tied to Publicly-Traded Israeli Firm Alarum Technologies
Researchers link the Popa Android botnet, infecting millions of TV boxes for proxy traffic, to NetNut, a residential proxy provider owned by publicly-traded Alarum Technologies.
For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut, a "residential proxy" provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd NASDAQ: ALAR.
Popa is a massive botnet, but by all accounts it is unlike traditional botnets that enlist compromised systems in destructive activities, such as coordinating huge distributed denial-of-service attacks. Rather, Popa appears designed with a singular purpose: implementing a persistent communications layer capable of registering a device, maintaining long-lived encrypted connections, and opening communication tunnels on demand. Experts say Popa is a plugin component associated with the Vo1d botnet, a large-scale malware campaign targeting unofficial Android-based TV boxes.
These devices, which are marketed under thousands of brand names and model numbers and broadly available for purchase at top e-commerce destinations, all advertise the ability to stream hundreds of subscription video services for an upfront one-time fee. But as the FBI and security industry experts have warned repeatedly, these streaming boxes typically bundle or come pre-installed with software that turns the user's TV into a "residential proxy" — allowing anyone to route their Internet traffic through that device for as long as it remains plugged into a wall socket and connected to a local network. More concerning, some of these proxy networks do little to stop malicious customers from communicating with and even compromising systems on the local network of the unsuspecting device owner.
The first clues about Popa's origins came in a 2025 report from the Chinese security company XLAB, which flagged at least nine domain names used to register and direct the activities of compromised devices. In a report released today, the security firm Qurium described how it stumbled on some of those same domains while investigating a series of disruptive and expensive data scraping events targeting the company's hosted organizations in May 2026, in which the scraping activity was scattered evenly across more than 1.4 million Internet addresses. Qurium said it found several dozen domains used to control Popa that were all hosted in lockstep across multiple Internet addresses over time, including gmslb[.]net, safernetwork[.]io, tera-home[.]com, and ninjatech[.]io.
Digging deeper, Qurium discovered gmslb[.]net was referenced in dozens of pirated or modded video content streaming apps, such as CRICFy, DooFlix, Sprozfy, RTS Tv, Flixoid, CyberFlix, Rapid Streamz, TvMob and HD/OceanStreams. Qurium's report notes that most of the domains long used to control the Popa botnet were seized or dismantled in July 2025, after Google, HUMAN Security and Trend Micro teamed up to disrupt Badbox 2.0, a botnet closely associated with Vo1d. Qurium said that immediately after that disruption, several dozen new domains were registered to serve as controllers for the Popa botnet, but that one of those control domains was not new: ninjatech[.]io.
Ninjatech is a company founded by Moishi Kramer, whose LinkedIn profile says he is vice president of research and development at NetNut. That resume credits Kramer for helping NetNut build from the "ground up," "designing the architecture," and "scaling the NetNut" before the company was acquired by Alarum Technologies. Responding via email, Mr. Kramer said Ninjatech ceased operations approximately five years ago, when the company sold a software development kit (SDK) called Popa that was designed to use a small portion of a device's bandwidth and to run only after the host application obtained user consent. "That code was sold and licensed to third parties including resellers years ago," Kramer said. "Once software is distributed that way, the original developer has no control over how others later modify, rebrand, or deploy it."
But in a separate Popa research report released today, the proxy-tracking company Synthient said a recent analysis of the Popa SDK revealed outbound traffic clearly associated with NetNut. "The research team assesses with high confidence that devices running Popa forward traffic from Netnut clients," Synthient wrote. "This proves without a shadow of a doubt that Popa actively continues to be used by NetNut as part of their proxy pool." Alarum Technologies, NetNut's Tel Aviv-based parent company, said the reports by Synthient and Qurium contained "demonstrably inaccurate assertions and flawed deductions rather than verified facts." Alarum shared a statement saying they reject the basic characterization of the SDKs and technologies discussed in the reports as a "botnet."
The Popa botnet highlights the growing problem of malicious residential proxy networks, which abuse consumer devices to anonymize criminal traffic. The connection to a publicly-traded company raises questions about corporate accountability and the oversight of SDKs that can be repurposed for malicious use. As law enforcement and security firms continue to dismantle such networks, the cat-and-mouse game between botnet operators and defenders shows no signs of slowing.