Tech
Google and the FBI Target Massive Botnet That Quietly Used Home Devices to Mask Cybercrime
The FBI, in partnership with Google and other tech companies, struck a massive blow against NetNut, a public-facing residential network proxy service that secretly hosted a botnet controlling approximately 2 million Android TVs and similar smart home devices. The network was being used for password-spraying, credential attacks and other malicious activity.
Residential proxy botnets make malicious traffic appear like normal internet use, allowing everyday devices to be secretly hijacked by cybercriminals to conduct illegal activities using your home internet. Infected home devices were often preloaded with malicious software used by the botnet, which made traditional home security practices less effective at detecting and stopping the problem.
According to an FBI statement emailed to CNET, on July 2, the federal agency carried out “a court-authorized seizure of multiple domains as part of a coordinated law enforcement action with the Department of Justice and IRS Criminal Investigation targeting infrastructure associated with the NetNut residential proxy platform, its administrators, and users.”
Authorities worked in tandem with Google, Lumen Technologies and the Shadowserver Foundation to go after NetNut and its services — also known as the Popa botnet by security researchers. Google said in a blog post that the actions “caused significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions.” NetNut’s website now shows an FBI takedown notice.
Google acknowledged that taking down NetNut is only the first step. Because these proxy networks frequently share and resell access to each other’s botnets, disrupting one provider often leads malicious actors to simply purchase capacity from a competitor. To create a lasting impact, Google said it must “target the infrastructure of several interconnected providers” simultaneously.
NetNut’s official website is taken down with this seizure notice in its place.
How this botnet worked
In 2024, security researchers at XLab found the Vo1d botnet, a massive collection of hacked, mostly off-brand Android TV devices. If you recall the fake AI video of Donald Trump and Elon Musk appearing on TVs at the Department of Housing and Urban Development, that was most likely caused by a malicious actor using the Vo1d botnet.
Those same researchers also found Popa, a legitimate network protocol plug-in that turned consumer devices into residential proxy nodes with the user’s consent. But the version researchers found was being installed on the hacked Android TV devices without user consent. According to the FBI, a residential proxy node is “an intermediary server between individuals and websites they visit to make their connections appear to originate elsewhere.”
Residential proxy networks are legal in the US, and businesses that use them usually sell access to enterprise customers, where they’re often used for security penetration testing, ad verification, gathering marketing data and unlocking geo-locked websites. Since residential nodes use real IP addresses from someone’s home, the company or person using the node is seen by the World Wide Web as just an ordinary user, and their true identity is hidden.
Android TV devices that were part of the Vo1d botnet and infected with Popa allowed cybercriminals to conduct attacks, scrape data from infected devices looking for sensitive information like passwords, and even hijack the device to perform malicious tasks, all while the hacker appeared to originate from the house across the street or the apartment across the hall without actually being there.
That is where NetNut comes in. NetNut is a public-facing residential proxy network operator owned by Alarum Technologies, a publicly traded company out of Israel. Per Google, it was one of the largest residential proxy network operators in the world.
On the surface, NetNut appeared to be a legitimate business and even had an official website where you could buy its services. However, late last month, multiple researchers confirmed that traffic generated by the Popa botnet was from NetNut users. This meant that NetNut was effectively selling its botnet out in the open to anyone, for both legitimate and illegitimate uses, which gave authorities enough evidence to take the company down.
Stay safe from the next attack
The good news is that making sure you don’t wind up as part of the next Android TV-powered botnet is actually pretty easy. According to Google and security researchers, the overwhelming majority of the hacked devices were no-name Android TV streamers that you can freely find on Amazon, Temu, AliExpress and other online outlets.
Many of those streaming sticks and boxes are quite cheap, but they do work. The problem is that nearly all of them run ancient versions of Android, which are easier to hack since those devices don’t have the modern protections afforded by newer versions.
Some brands sell streaming boxes that promise free streaming with no subscriptions. These are often advertised on Instagram and TikTok by fresh-faced influencers who claim to offer a no-subscription streaming TV solution. Security researchers found that many of those streamer boxes came prehacked with botnet software installed out of the box.
So, step one to avoid becoming part of a botnet is to only buy Android TV devices from reputable companies like Sony, Nvidia, Google and others. Try to buy one that runs a modern version of Android and still gets security updates. You should also avoid those “one price, no subscriptions” boxes on social media, since they definitely come with malware preinstalled.
Botnets like this aren’t unique to Android TV. Smart home devices are also consistently included in botnets, so step two to keeping yourself safe is to make sure you apply all of the above advice to your smart home products as well. You should also keep up with the latest trends, like promptware, a new kind of malware that hacks your devices by asking the onboard AI to do it on behalf of the hacker.
The incident serves as an important reminder to be wary of low-quality, cheap tech peddled by influencers — or you risk having your personal ID information stolen. The usual array of things helps as well, like making sure to have a robust password, learning how to avoid phishing emails and not revealing any personal details to suspicious characters online.
You must be logged in to post a comment Login