BigTech CompaniesCybersecurityNewswireTechnologyWhat's Buzzing

NetNut proxy disrupted, 2 million infected devices cut off

▼ Summary

– A joint operation by Google, the FBI, and other partners disrupted the NetNut residential proxy botnet, which compromised at least two million Android devices globally.
– NetNut allowed cybercriminals and espionage groups to hide malicious traffic by routing it through victims’ residential IP addresses.
– The FBI seized the netnut.com domain, and Google disabled accounts and services used for malware command-and-control (C2).
– Google used Play Protect to warn users and disable infected applications, and shared technical details with law enforcement and researchers.
– The disruption is expected to have a broad impact because NetNut is one of the largest proxy networks, with a reseller program that fuels many other residential proxy services.

A coordinated takedown, spearheaded by Google alongside federal law enforcement and cybersecurity partners, has dismantled NetNut, a notorious residential proxy network that weaponized over two million compromised Android devices. Known within criminal circles as “Popa,” this botnet transformed everyday home electronics,including smart TVs and streaming boxes,into covert exit nodes for cybercriminals and state-sponsored espionage groups.

According to the Google Threat Intelligence Group (GTIG), the NetNut botnet is estimated to control at least two million infected devices worldwide. These devices were hijacked through trojanized applications and other botnets like Badbox 2.0, which packaged proxy plugins into seemingly legitimate software. “GTIG estimates Netnut controls at least 2 million infected devices globally (including smart TVs and streaming boxes), powered by trojanized applications and botnets like Badbox 2.0 that package proxy plugins,” Google confirmed to BleepingComputer.

The core function of a residential proxy network is to sell access to compromised home systems. Threat actors route their malicious traffic through these victims’ residential IP addresses, making their activities appear to originate from legitimate, everyday internet connections. Devices typically become infected either through malware pre-installed before purchase or via malicious apps downloaded by the user. Once ensnared, these consumer devices act as exit nodes, routing unauthorized traffic that can eventually get them flagged or blocked by ISPs and online services.

The operation to dismantle NetNut was a multi-agency effort involving Google, the FBI, Lumen Technologies, The Shadowserver Foundation, and other industry partners. A key move was the FBI’s seizure of the domain netnut.com, which the proxy network relied upon. “I checked with the disruption team and confirmed .com domain was also used by them along with other domains taken down,” Mark Karayan, Communications Manager at Mandiant, told BleepingComputer.

NetNut is considered one of the largest residential proxy networks globally, used by hundreds of distinct threat actors. GTIG reported that in a single week last month, it “observed 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups.” These actors leveraged NetNut to access their own infrastructure, conduct password-spraying attacks, and reach victim environments.

On its end, Google disabled accounts and services on its infrastructure that NetNut operators used for malware command-and-control (C2), effectively cutting off access to critical backend systems. The company also protected users by automatically warning them and disabling infected applications via Google Play Protect, Android’s built-in security mechanism. Additionally, Google shared technical details on NetNut’s software development kits (SDKs) and backend C2 infrastructure with platform providers, law enforcement, and cybersecurity researchers.

The impact of this disruption is expected to ripple through the proxy industry. Google noted that NetNut “has a robust reseller program that allows whitelabeling of its network,” meaning many popular residential proxy services are fueled by NetNut’s capacity. Karayan explained that disrupting one proxy service often forces operators to buy replacement capacity from competitors, effectively turning them into resellers. “The proxy industry is deeply interconnected where operators constantly buy and resell each other’s botnet capacity, and Netnut is among the largest and most popular residential proxy networks in the world.”

This action against NetNut is part of Google’s ongoing commitment to dismantle residential proxy botnets and follows the disruption of IPIDEA earlier this year.

(Source: BleepingComputer)

Topics

residential proxy botnet 95% netnut disruption 93% compromised android devices 90% cybercriminal espionage 88% malware infection 85% google threat intelligence 82% fbi involvement 80% password spraying attacks 78% command-and-control infrastructure 76% google play protect 74%