Researchers Link Popa Android Proxyware to NetNut Residential Proxy Network
Researchers from Synthient, Qurium, Nokia Deepfield, and others said the long-running Popa Android proxyware ecosystem enrolls phones, tablets, streaming devices, and unofficial Android TV boxes into a residential proxy network, and linked parts of that activity to NetNut, a proxy provider owned by Alarum Technologies. The reporting describes Popa as a plugin tied to the Vo1d malware ecosystem that can maintain persistent encrypted tunnels and relay third-party traffic for uses including advertising fraud, account takeovers, mass scraping, and possible access into local networks. Estimates cited by researchers put the network at roughly 1.5 million to 2.5 million daily IPs, indicating years of operation at significant scale.
Synthient said it identified multiple Popa-related variants, including Moneytiser, Loopop, and Neupop, and found that analyzed samples often began proxying traffic as soon as the host app launched. In controlled testing, the firm said some Popa-enrolled devices egressed traffic through NetNut’s commercial proxy gateway, while 18 Android samples communicated directly with sdk.netnut.io and some APKs referenced both sdk.netnut.io and cyberprotector.online; researchers also said none of more than 20 examined publishers invoked an optional consent prompt present in version 2.7.46. NetNut rejected the findings and said it operates a legitimate proxy network with KYC, due-diligence, and misuse-monitoring controls, while broader reporting warned that embedded residential proxy SDKs in consumer apps are increasingly being used for AI-related scraping without meaningful user consent.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Nokia Deepfield links RoboVPN's Neunative SDK to Popa backend
On 2026-06-18, Nokia Deepfield ERT reported that RoboVPN’s Windows installer bundles the Neunative residential-proxy SDK, which activates when the VPN is idle or disconnected and relays arbitrary third-party traffic through the user’s residential IP. The researchers said the SDK shares backend infrastructure and tunnel protocol elements with the Popa/Vo1d ecosystem and identified weak destination filtering that could expose local ADB on Android-class devices via 0.0.0.0:5555.
NetNut rejects Synthient report's premises
In response to the Synthient report, NetNut said it operates a legitimate proxy network with KYC, due diligence, and misuse-monitoring controls and rejected the report’s premises. Separate reporting also noted that NetNut and parent company Alarum denied operating a botnet or controlling the cited infrastructure.
Synthient publishes Popa proxyware findings
On 2026-06-18, Synthient published research describing Popa as an Android proxyware SDK family embedded in third-party apps and identifying variants including Moneytiser, Loopop, and Neupop. The report said analyzed samples often relayed third-party traffic when host apps launched, observed no use of the optional consent prompt in examined publishers, and found samples communicating with sdk.netnut.io.
Researchers conduct controlled Popa traffic testing
Synthient said controlled testing conducted on 2026-06-17 found with high confidence that at least some Popa-enrolled Android devices egressed traffic through NetNut’s commercial proxy gateway. The testing supported the report’s linkage between the Popa proxyware ecosystem and NetNut infrastructure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourcePopa: From Sourcing to Distribution | Synthient
synthient.com
Open sourceFinding “Popa”: When Your Smart TV Stops Being Yours - Qurium Media Foundation
qurium.org
Open sourcepublic-research/reports/2026-06-18-robovpn-neunative.md at main · deepfield/public-research · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious Android Apps Turned Phones Into Residential Proxy Nodes
Researchers reported that malicious Android applications, including VPN-themed apps and software built with the **LumiApps** SDK, secretly enrolled users’ devices into a proxy network and routed third-party traffic through them without informed consent. HUMAN’s Satori team said the operation, tracked as **PROXYLIB**, used a Golang-based native library, `libgojni.so`, to contact command-and-control servers, register infected phones, and maintain persistent proxy connections through Android services and boot receivers. The activity was linked to earlier infections found in **Oko VPN** and 28 related Google Play apps, as well as a later variant that could be embedded during app development or injected into APKs without source-code access. Investigators said the infrastructure and monetization appeared tied to **Asocks**, a residential proxy service, indicating the compromised devices were likely being sold as proxy exit nodes for cybercriminal use. Google removed the identified apps from Google Play, and **Google Play Protect** now detects or blocks known PROXYLIB-related applications, while researchers warned the operators are likely to keep shifting to third-party app stores and modified APK distribution.
May 30, 2026
Residential Proxy Networks Fuel Abuse and Expose Home and Enterprise Users
Security researchers reported that residential proxy networks are increasingly being used to route malicious traffic through legitimate home internet connections, helping attackers evade IP reputation controls while making abuse appear to come from ordinary consumers and organizations. Infoblox said more than **65%** of its cloud customers queried domains tied to residential proxy services in 2026, with monthly DNS traffic rising from roughly **300–400 billion** queries in early 2025 to more than **500 billion** by April 2026, affecting every industry vertical examined, including healthcare, pharmaceuticals, banking, government, electronics, food and beverage, and industrial sectors. The company also observed no meaningful drop after disruption efforts against **IPIDEA**, and recorded a **265%** single-day spike in queries to `ipinfo[.]ipidea[.]io` on January 23. Separate telemetry from Gen Digital linked residential proxy traffic to **7.4 million** malicious incidents affecting **572,000** users since January 2026, with notable concentration in India, Vietnam, and Brazil. Researchers said devices are often enrolled through pay-for-bandwidth apps, free VPNs, browser extensions, bundled SDKs, preinstalled Android TV software, IoT devices, malware, and potentially unwanted applications, sometimes without clear user consent. The reports warn that these networks are being used for phishing, credential stuffing, account takeover, ad fraud, scams, scraping, and reconnaissance, while shifting legal, reputational, and performance risks onto households and enterprises whose IP addresses become exit nodes. Recommended mitigations include **Protective DNS**, DNS log reviews, auditing apps and browser extensions for embedded proxy components, inspecting connected devices, and removing unknown or suspicious software.
Jun 11, 2026
Mirax Android RAT Hijacks Phones as SOCKS5 Residential Proxies
Researchers reported active distribution of the Android malware **Mirax**, a remote access trojan that combines banking credential theft with residential proxy functionality, allowing attackers to turn infected phones into **SOCKS5** proxy nodes while harvesting sensitive data. Cleafy said campaigns aimed largely at Spanish-speaking users reached more than **220,000** accounts across Meta platforms including Facebook, Instagram, Messenger, and Threads, using fake IPTV and sports-streaming lures, phishing pages, and **GitHub Releases**-hosted dropper APKs to drive sideloaded infections. Mirax is described as a restricted **malware-as-a-service** offering linked to the underground **"Mirax Bot"** ecosystem and reportedly marketed mainly to trusted Russian-speaking affiliates. Once installed, the malware abuses Android Accessibility Services, deploys credential-theft overlays, and maintains multiple WebSocket command-and-control channels on ports `8443`, `8444`, and `8445`; its use of **SOCKS5**, **Yamux**, and residential IP routing helps attackers evade fraud controls and support follow-on activity such as account takeover, transaction fraud, password spraying, and broader anonymous abuse through victims’ devices.
Apr 24, 2026