Google and FBI Disrupt NetNut Proxy Botnet, Cutting Off 2 Million Infected Android Devices
Jul 6, 2026
Overview
A coordinated operation led by Google Threat Intelligence Group (GTIG), alongside the FBI, Lumen Technologies, and The Shadowserver Foundation, has significantly disrupted the NetNut residential proxy network—one of the world's largest malicious proxy infrastructures.
The operation severed access to an estimated 2 million compromised Android devices, including smart TVs and streaming boxes that had unknowingly become part of the Popa botnet. These infected devices were being rented out as residential proxy exit nodes, allowing cybercriminals and nation-state actors to disguise malicious activity behind legitimate home internet connections.
Incident Summary
Category | Details |
|---|---|
Threat | NetNut Residential Proxy Network (Popa Botnet) |
Estimated Infected Devices | At least 2 million Android devices |
Targeted Devices | Smart TVs, Android streaming boxes, consumer Android devices |
Primary Abuse | Residential proxy services used to hide attacker identities |
Organizations Involved | Google Threat Intelligence Group, FBI, Lumen Technologies, Shadowserver Foundation |
Malware Distribution | Trojanized applications and malware families such as Badbox 2.0 |
Impact | Millions of compromised proxy nodes disrupted and malicious infrastructure degraded |
What Happened?
Researchers from Google's Threat Intelligence Group revealed that NetNut operated a massive residential proxy service powered by millions of compromised Android devices.
Instead of using traditional VPN servers, attackers routed their traffic through infected consumer devices, making malicious activity appear as though it originated from ordinary home users. This allowed cybercriminals to evade IP reputation systems, bypass security controls, conduct password spraying, and hide command-and-control traffic.
Google estimates that the botnet controlled more than two million compromised devices globally, making it one of the largest residential proxy networks ever publicly documented.
How Devices Became Infected
Unlike many traditional botnets, NetNut primarily relied on:
Trojanized Android applications
Pre-installed malicious firmware on low-cost Android devices
Malware campaigns such as Badbox 2.0
Malicious SDKs embedded inside legitimate-looking applications
Once infected, the devices silently acted as proxy exit nodes, forwarding internet traffic on behalf of paying customers without the owner's knowledge.
Victims typically experienced no visible signs of compromise while their internet connections were being abused for cybercriminal operations.
Why Residential Proxies Are Dangerous
Residential proxy networks are attractive to attackers because they:
Hide the real origin of attacks
Bypass IP-based security filters
Evade geolocation restrictions
Blend malicious traffic with legitimate home internet traffic
Reduce detection during credential attacks
According to Google, during just one week in June 2026, investigators observed 316 distinct threat clusters using suspected NetNut exit nodes, including financially motivated cybercriminals and state-sponsored espionage groups.
The Coordinated Takedown
The disruption involved multiple simultaneous actions:
Google disabled accounts used for NetNut malware command-and-control.
Google Play Protect began warning users about infected applications.
Technical intelligence was shared with law enforcement and industry partners.
The FBI seized domains supporting the malicious infrastructure.
Industry partners helped dismantle backend proxy services.
Google stated that these combined actions significantly reduced the available pool of compromised devices used by the proxy operator, impacting its business operations on a large scale.
Possible Links to Commercial Proxy Services
Investigators noted that NetNut maintained an extensive reseller ecosystem that allowed other proxy providers to white-label its infrastructure.
Public reporting has also linked the operation to the Popa botnet, although investigations into the broader ecosystem remain ongoing. Google's findings indicate that multiple proxy brands may have unknowingly—or knowingly—relied on NetNut's compromised infrastructure.
Security Recommendations
Organizations should take proactive steps to reduce exposure to similar threats:
Only install applications from trusted app stores.
Avoid low-cost Android devices running unofficial firmware.
Keep Android TVs and streaming devices updated.
Enable Google Play Protect on supported devices.
Monitor outbound network traffic for unusual proxy behavior.
Detect unauthorized connections originating from IoT devices.
Segment smart devices from critical business networks.
Monitor for residential proxy indicators during threat hunting.
Why This Matters
The NetNut disruption highlights a growing cybersecurity trend: attackers increasingly exploit everyday consumer electronics instead of traditional servers.
Smart TVs, streaming boxes, and IoT devices often receive limited security updates, making them attractive long-term assets for botnet operators. Once compromised, these devices become valuable infrastructure for hiding cyberattacks, credential theft campaigns, web scraping, and espionage operations.
The successful disruption of more than two million infected devices demonstrates the growing importance of collaboration between technology companies, law enforcement, and threat intelligence organizations in dismantling global cybercrime infrastructure.
Key Takeaways
Google and the FBI disrupted one of the world's largest residential proxy botnets.
Over 2 million Android devices had been compromised.
Smart TVs and Android streaming devices were major infection targets.
The infrastructure enabled cybercriminals to anonymously route malicious traffic.
Multiple industry partners coordinated domain seizures, infrastructure takedowns, and malware mitigation efforts.
The operation significantly weakened NetNut's ability to provide residential proxy services to threat actors.






