Google’s Continued Disruption of Malicious Residential Proxy Networks
Google, in coordination with the FBI and Lumen, disrupted the NetNut residential proxy network (aka Popa), which is estimated to comprise at least 2 million consumer devices enrolled as proxy exit nodes via malicious SDKs embedded in apps and firmware. The network was used by 316 distinct threat clusters in a single week for masking origin IPs, password spraying, and other malicious activity. Google disabled associated C2 accounts, shared intelligence with partners, and enabled Google Play Protect to warn users about apps containing NetNut SDKs.
Detection / Hunteropenrouter
What Happened
Google worked with law enforcement and other companies to shut down a large malicious network called NetNut, which secretly hijacked at least two million home devices like smart TVs and streaming boxes to route internet traffic through them. Criminals and spies used this network to hide their real location while launching attacks, including attempts to guess passwords. The hijacked devices were enrolled without their owners' knowledge through hidden code in apps and device software. Google disabled the accounts the network operators used for control, and turned on automatic warnings on Android devices to block apps containing this hidden code. Consumers should avoid apps that pay for unused bandwidth, buy devices only from reputable manufacturers, and ensure built-in security protections are active.
Key Takeaways
- Google coordinated with FBI, Lumen, and others to disrupt the NetNut (aka Popa) residential proxy network, disabling Google accounts used for C2 and enabling Google Play Protect warnings for apps embedding NetNut SDKs.
- NetNut is estimated to comprise at least 2 million devices worldwide, populated via SDKs distributed through smart TVs, streaming boxes, and other consumer devices.
- In a single week in June 2026, GTIG observed 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups conducting password sprays and masking origin IPs.
- Many popular residential proxy brands are whitelabeling the NetNut botnet, meaning the disruption may have ripple effects across the broader proxy ecosystem.
- NetNut botnet plugin components were identified in large-scale botnets such as Badbox 2.0, and NetNut has been used to distribute Mirai DDoS botnet variants.
Affected Systems
- Android devices (smart TVs, streaming boxes, set-top boxes)
- Consumer IoT devices running embedded proxy SDKs
- Home network devices enrolled as proxy exit nodes
Vulnerabilities (CVEs)
None identified.
Attack Chain
- Distribution: Malicious SDKs embedded in apps and firmware for consumer devices (smart TVs, streaming boxes) are distributed via app stores and pre-installed malware.
- Enrollment: Devices running the SDK are enrolled as exit nodes in the NetNut residential proxy network without owner knowledge.
- C2: NetNut operators control enrolled devices via C2 infrastructure, including Google services accounts that have since been disabled.
- Proxy Operations: Threat actors purchase access to the proxy network to route traffic through residential IPs, masking their origin.
- Malicious Activity: 316+ threat clusters use NetNut exit nodes for password spraying, accessing victim environments, and distributing additional malware such as Mirai variants.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No detection rules are provided in the article. Google shared technical intelligence on NetNut SDKs and backend C2 infrastructure with platform providers, law enforcement, and research firms, but specific detection logic is not included in this blog post.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Low | Most affected devices are consumer IoT products (smart TVs, streaming boxes) that typically lack EDR coverage. Android devices may have Google Play Protect visibility, but enterprise EDR agents are unlikely to be deployed on these device classes. |
| Network Visibility | Medium | Residential proxy traffic transits home networks and ISP infrastructure. Enterprise network monitoring could detect traffic to known proxy C2 endpoints, but the article does not publish specific C2 indicators. ISP-level visibility is more relevant than enterprise network monitoring for this threat. |
| Detection Difficulty | Hard | The article does not publish specific IOCs, hashes, or C2 indicators. Detection relies on behavioral analysis of proxy traffic patterns and SDK identification, which requires access to mobile app analysis tooling and network flow data across consumer ISP environments. The fluid reseller ecosystem further complicates attribution. |
Required Log Sources
- Network flow logs for outbound proxy traffic patterns
- DNS logs for C2 domain resolution
- Android Google Play Protect telemetry
- ISP-level traffic analysis for residential proxy exit node identification
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for outbound network connections from devices on your network that exhibit proxy relay behavior — sustained inbound connections from external IPs followed by outbound traffic to diverse destinations, consistent with residential proxy exit node activity. | Network flow logs, firewall logs, proxy logs | C2 / Proxy Operations | Medium — legitimate VPN or proxy applications on user devices could produce similar traffic patterns. |
| Consider hunting for authentication failures correlated with source IPs associated with residential proxy networks, as threat clusters used NetNut exit nodes for password spraying. | Authentication logs, SIEM correlation with threat intelligence feeds for residential proxy IP ranges | Credential Access | Medium — legitimate users behind residential ISPs may trigger alerts if IP range attribution is imprecise. |
| If you have mobile device management or app inventory visibility, consider hunting for applications requesting unusual network permissions or incorporating SDKs associated with residential proxy networks. | Mobile device management logs, app inventory data, Google Play Protect alerts | Initial Access / Enrollment | Low — apps with proxy SDKs are typically not legitimate enterprise applications. |
Control Gaps
- Consumer IoT devices (smart TVs, streaming boxes) typically lack endpoint security agents, creating blind spots for proxy SDK enrollment.
- Residential proxy traffic blends with legitimate consumer ISP traffic, making network-level detection difficult without specific threat intelligence.
- The whitelabel reseller model means blocking known proxy brands may not fully mitigate traffic routed through rebranded NetNut infrastructure.
Key Behavioral Indicators
- Consumer devices exhibiting unexpected inbound connection patterns consistent with proxy exit node behavior
- Apps requesting network relay permissions or offering payment for unused bandwidth
- Sustained multi-destination outbound traffic from a single residential device, inconsistent with normal user browsing patterns
- Authentication failures from residential IP ranges correlated with known proxy network infrastructure
False Positive Assessment
Medium — Legitimate VPN applications and authorized proxy services could produce traffic patterns similar to residential proxy exit nodes. Attribution of residential IP ranges to specific proxy networks requires precise threat intelligence, and the whitelabel reseller model introduces ambiguity in proxy brand identification.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider reviewing authentication logs for password spraying activity originating from residential IP ranges, particularly those associated with known proxy networks.
- Consider blocking or rate-limiting authentication attempts from residential proxy IP ranges if your identity provider or WAF supports IP reputation-based policies.
- If applicable, evaluate whether your mobile device management solution can detect and block apps known to incorporate NetNut or other residential proxy SDKs.
Infrastructure Hardening
- Consider implementing geographic and IP-type awareness in authentication policies, flagging or requiring additional verification for logins from residential proxy IP ranges.
- Evaluate whether your SIEM can ingest residential proxy IP reputation feeds to enrich authentication and network traffic analysis.
- Consider coordinating with your ISP or cloud provider to block traffic to known residential proxy C2 infrastructure if such intelligence is available.
User Protection
- Consider deploying endpoint security on all supported devices, including Android devices where Google Play Protect is available.
- Evaluate whether security awareness communications can warn users about apps offering payment for unused bandwidth or sharing internet connections.
- If your organization issues IoT or smart devices, consider sourcing only from reputable manufacturers and verifying security certifications.
Security Awareness
- Consider incorporating guidance on residential proxy risks into existing security awareness programs, emphasizing that apps offering payment for bandwidth can expose home networks to abuse.
- Consider advising users to verify device certifications (e.g., Android TV Play Protect certification) when purchasing connected devices.
- Consider reminding users to review app permissions for VPN, proxy, or network relay functionality on personal and managed devices.