Updated
Updated · Fox News · Jul 3
Popa Botnet Hijacks 1.5 Million Android TV Boxes Daily to Relay Criminal Traffic
Updated
Updated · Fox News · Jul 3

Popa Botnet Hijacks 1.5 Million Android TV Boxes Daily to Relay Criminal Traffic

3 articles · Updated · Fox News · Jul 3

Summary

  • Black Lotus Labs said Popa uses about 1.5 million to 2.5 million distinct IP addresses a day, turning cheap Android streaming boxes into residential proxies for ad fraud, account takeovers and mass scraping.
  • The malware is tied to the wider Vo1d and BADBOX-style ecosystem of uncertified Android devices, keeping encrypted tunnels open so outside traffic appears to come from an ordinary home connection.
  • That leaves households exposed because their IP addresses can be linked to abuse they did not authorize; the FBI has already warned compromised TV boxes and other gadgets are feeding BADBOX 2.0 proxy networks.
  • A separate dispute clouds attribution: Qurium and Synthient linked Popa traffic to NetNut, owned by Israel-listed Alarum Technologies, while Alarum rejected the botnet characterization and said its SDKs require notice and consent.
  • The risk extends beyond off-brand boxes, with Spur finding proxy-sharing components in more than 42% of reviewed LG webOS apps and over 25% of Samsung Tizen apps; Samsung said it is banning and removing such apps.

Insights

Your smart TV could be part of a criminal proxy network. How do you take back control?
AI now creates flawless scams. Are our digital defenses becoming obsolete?
Behind billions in online fraud are human trafficking victims. What is the real cost of a 'good deal'?