All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
- All About Cookies makes money when you click the links on our site to some of the products and offers that we mention. These partnerships do not influence our opinions or recommendations. Read more about how we make money.
- Partners are not able to review or request changes to our content except for compliance reasons.
- We aim to make sure everything on our site is up-to-date and accurate as of the publishing date, but we cannot guarantee we haven't missed something. It's your responsibility to double-check all information before making any decision. If you spot something that looks wrong, please let us know.
Google, in coordination with the FBI, Lumen, and other security researchers, has taken down NetNut, one of the largest and most popular residential proxy networks. The operation is expected to have affected at least 2 million devices[1], primarily smart home devices such as streaming boxes and smart TVs.
The worrying part is that your device could have been infected by NetNut without you even knowing it. As a result, legitimate traffic from your own home network may be flagged as suspicious or even blocked by online services or your internet service provider.
Here's how NetNut worked, how authorities took it down, and what you can do to keep your home devices safe.
How to check if your device has been compromised
What you can do if your device is infected
Bottom line
How NetNut infected your devices
According to KrebsOnSecurity, one of the research outlets behind the NetNut takedown, residential proxy networks like NetNut operate by controlling residential IP addresses, registering them as exit nodes, and then selling access to them to paying customers.
Those customers are often malicious threat actors who abuse the compromised residential IPs for advertising fraud, account takeovers, or mass content scraping.
Your home device may either come pre-infected with malware, or you may unknowingly sideload or download applications that contain hidden proxy code. Once infected, your device can become one of these exit nodes, allowing cybercriminals to route malicious traffic through your home internet connection.
Worse still, once an infected device becomes a residential proxy node, attackers may also be able to use it as a foothold into your home network. That means a compromised streaming box or smart TV could potentially expose your laptop, phone, security cameras, or other devices connected to the same Wi-Fi network. If attackers manage to compromise those devices, they could gain access to sensitive information such as personal files, photos, saved passwords, or financial data.
Researchers found NetNut relied on three key malware components:
- Vo1d: NetNut's device pool was built on an existing malware infrastructure known as Vo1d, a malware campaign that targets unofficial and cheap Android TV boxes — the ones that advertise that you can watch every streaming service with just one box or stick.
- BadBox 2.0: This is another botnet that packaged proxy code onto infected devices. Google also named BadBox 2.0 as a source feeding NetNut's network.
- Popa: It’s a plug-in component that rides on the same Vo1d infrastructure. It’s used to register an infected device, keep long-lived encrypted connections open, and establish communication tunnels on demand. Its sole job was to keep devices available as always-on relay points.
In July 2025, Google, HUMAN Security, and Trend Micro took down BadBox 2.0, but that did not stop Popa. Instead, new domains were almost immediately registered to keep the botnet running.
Researchers traced one of Popa's control domains back to Ninjatech, a company founded by a former NetNut executive who had built an early version of the Popa SDK years earlier. They also observed that traffic from Popa-infected devices matched NetNut's paying customers, leading them to believe that Popa was actively feeding NetNut's proxy pool.
Alarum Technologies, the publicly traded Israeli company that owns NetNut, has denied the botnet label and said its SDK operates with user consent. However, researchers at Synthient found that, in an analysis of more than 20 Popa-distributing apps, none asked users for consent before installing the proxy component.
What Google did to stop NetNut
As part of the NetNut and Popa takedown, Google implemented the following measures:
- Disabled Google accounts and associated services used by NetNut for malware command and control (C2).
- Shared intelligence relating to NetNut software development kits (SDKs) with law enforcement agencies, researchers, and platform providers.
- Ensured that Google Play Protect automatically warned users and disabled applications known to incorporate NetNut SDKs.
"We believe our coordinated actions have caused significant degradation to NetNut's proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions," Google said.
The netnut.com website now displays a warning stating that the website was seized by the FBI in coordination with the Department of Justice and the Internal Revenue Service Criminal Investigation.
Google has warned users to stay wary of apps that offer payment in exchange for sharing their internet connection or unused bandwidth. While this might sound like easy passive income, agreeing to it means letting a stranger route unknown traffic through your home IP address.
The good news is that many of the affected devices rely on unofficial Android operating systems that aren't protected by Google's Play Protect certification. If you're unsure about your device, Google recommends checking whether it runs the official Android TV OS and is Play Protect certified.
How to check if your device has been compromised
Since the entire Popa network affected more than two million devices, the chances that your device is one of them are fairly realistic.
Here are a few practical ways to check whether your device is being used as a potential exit node.
- Know which devices are at the highest risk: If you're using an unofficial Android TV box or streaming stick, or a device purchased from a second-hand marketplace, there's a higher chance it may be infected by the Popa botnet.
- Check your router's traffic logs: Since an infected device constantly sends and receives data, you may notice unusual traffic while checking your router's logs. Look for high outbound data usage that doesn't correlate with your normal streaming habits.
- Look for unknown apps: Scan your device or smart TV for unfamiliar or unauthorized apps, such as free VPNs, screensavers, or PDF viewers.
- Watch for physical signs: Device overheating, unexpected battery drain, or screen freezes can indicate suspicious background processes.
- Check with your ISP: If you've received a warning about unusual outbound activity or throttling from your internet service provider, it's worth checking with them rather than dismissing the issue.
What you can do if your device is infected
If you believe your device could be infected, or want to prevent it from happening, there are several things you can do to protect your home network:
- Installing a third-party antivirus program to detect and remove malware on Windows PCs, Macs, and Android devices connected to your home network.
- Change your Wi-Fi password after securing your device, since some of these networks allow lateral movement that could compromise other devices on your home network.
- Use a VPN on your smart TV to help protect all data coming to and from the device (with the added bonus of being able to change your location to access geo-restricted content).
- Factory-resetting it may help. However, this doesn't guarantee that all infected apps, botnets, or malware have been removed.
- Another option is replacing the device entirely with one from a reputable brand, rather than the cheap knockoffs often sold under unknown brand names.
Bottom line
Although the operation marks a major victory against malicious residential proxy networks, Google has underlined that it is not a permanent solution. The company has called on ISPs, technology platforms, and mobile platforms to continue working together against such threats.
Similarly, users should exercise caution before purchasing connected devices and ensure they come from reputable manufacturers. Sticking to official app stores, avoiding apps that offer payment for sharing your internet connection, and choosing Play Protect-certified Android TV devices can also help reduce the risk of compromise.