Google and FBI Disrupt NetNut Proxy Botnet, Cutting Off 2 Million Infected Android Devices

Jul 6, 2026

Overview

A coordinated operation led by Google Threat Intelligence Group (GTIG), alongside the FBI, Lumen Technologies, and The Shadowserver Foundation, has significantly disrupted the NetNut residential proxy network—one of the world's largest malicious proxy infrastructures.

The operation severed access to an estimated 2 million compromised Android devices, including smart TVs and streaming boxes that had unknowingly become part of the Popa botnet. These infected devices were being rented out as residential proxy exit nodes, allowing cybercriminals and nation-state actors to disguise malicious activity behind legitimate home internet connections.

Incident Summary

Category

Details

Threat

NetNut Residential Proxy Network (Popa Botnet)

Estimated Infected Devices

At least 2 million Android devices

Targeted Devices

Smart TVs, Android streaming boxes, consumer Android devices

Primary Abuse

Residential proxy services used to hide attacker identities

Organizations Involved

Google Threat Intelligence Group, FBI, Lumen Technologies, Shadowserver Foundation

Malware Distribution

Trojanized applications and malware families such as Badbox 2.0

Impact

Millions of compromised proxy nodes disrupted and malicious infrastructure degraded

What Happened?

Researchers from Google's Threat Intelligence Group revealed that NetNut operated a massive residential proxy service powered by millions of compromised Android devices.

Instead of using traditional VPN servers, attackers routed their traffic through infected consumer devices, making malicious activity appear as though it originated from ordinary home users. This allowed cybercriminals to evade IP reputation systems, bypass security controls, conduct password spraying, and hide command-and-control traffic.

Google estimates that the botnet controlled more than two million compromised devices globally, making it one of the largest residential proxy networks ever publicly documented.

How Devices Became Infected

Unlike many traditional botnets, NetNut primarily relied on:

  • Trojanized Android applications

  • Pre-installed malicious firmware on low-cost Android devices

  • Malware campaigns such as Badbox 2.0

  • Malicious SDKs embedded inside legitimate-looking applications

Once infected, the devices silently acted as proxy exit nodes, forwarding internet traffic on behalf of paying customers without the owner's knowledge.

Victims typically experienced no visible signs of compromise while their internet connections were being abused for cybercriminal operations.

Why Residential Proxies Are Dangerous

Residential proxy networks are attractive to attackers because they:

  • Hide the real origin of attacks

  • Bypass IP-based security filters

  • Evade geolocation restrictions

  • Blend malicious traffic with legitimate home internet traffic

  • Reduce detection during credential attacks

According to Google, during just one week in June 2026, investigators observed 316 distinct threat clusters using suspected NetNut exit nodes, including financially motivated cybercriminals and state-sponsored espionage groups.

The Coordinated Takedown

The disruption involved multiple simultaneous actions:

  • Google disabled accounts used for NetNut malware command-and-control.

  • Google Play Protect began warning users about infected applications.

  • Technical intelligence was shared with law enforcement and industry partners.

  • The FBI seized domains supporting the malicious infrastructure.

  • Industry partners helped dismantle backend proxy services.

Google stated that these combined actions significantly reduced the available pool of compromised devices used by the proxy operator, impacting its business operations on a large scale.

Possible Links to Commercial Proxy Services

Investigators noted that NetNut maintained an extensive reseller ecosystem that allowed other proxy providers to white-label its infrastructure.

Public reporting has also linked the operation to the Popa botnet, although investigations into the broader ecosystem remain ongoing. Google's findings indicate that multiple proxy brands may have unknowingly—or knowingly—relied on NetNut's compromised infrastructure.

Security Recommendations

Organizations should take proactive steps to reduce exposure to similar threats:

  • Only install applications from trusted app stores.

  • Avoid low-cost Android devices running unofficial firmware.

  • Keep Android TVs and streaming devices updated.

  • Enable Google Play Protect on supported devices.

  • Monitor outbound network traffic for unusual proxy behavior.

  • Detect unauthorized connections originating from IoT devices.

  • Segment smart devices from critical business networks.

  • Monitor for residential proxy indicators during threat hunting.

Why This Matters

The NetNut disruption highlights a growing cybersecurity trend: attackers increasingly exploit everyday consumer electronics instead of traditional servers.

Smart TVs, streaming boxes, and IoT devices often receive limited security updates, making them attractive long-term assets for botnet operators. Once compromised, these devices become valuable infrastructure for hiding cyberattacks, credential theft campaigns, web scraping, and espionage operations.

The successful disruption of more than two million infected devices demonstrates the growing importance of collaboration between technology companies, law enforcement, and threat intelligence organizations in dismantling global cybercrime infrastructure.

Key Takeaways

  • Google and the FBI disrupted one of the world's largest residential proxy botnets.

  • Over 2 million Android devices had been compromised.

  • Smart TVs and Android streaming devices were major infection targets.

  • The infrastructure enabled cybercriminals to anonymously route malicious traffic.

  • Multiple industry partners coordinated domain seizures, infrastructure takedowns, and malware mitigation efforts.

  • The operation significantly weakened NetNut's ability to provide residential proxy services to threat actors.

Latest News

Google and FBI Disrupt NetNut Proxy Botnet, Cutting Off 2 Million Infected Android Devices

Google and FBI Disrupt NetNut Proxy Botnet, Cutting Off 2 Million Infected Android Devices

Google and FBI Disrupt NetNut Proxy Botnet, Cutting Off 2 Million Infected Android Devices

Google and FBI Disrupt NetNut Proxy Botnet, Cutting Off 2 Million Infected Android Devices

Google and FBI Disrupt NetNut Proxy Botnet, Cutting Off 2 Million Infected Android Devices

Jul 6, 2026

Cisco SD-WAN Zero-Day Under Active Attack: How Hackers Achieved Root Access

Cisco SD-WAN Zero-Day Under Active Attack: How Hackers Achieved Root Access

Cisco SD-WAN Zero-Day Under Active Attack: How Hackers Achieved Root Access

Cisco SD-WAN Zero-Day Under Active Attack: How Hackers Achieved Root Access

Cisco SD-WAN Zero-Day Under Active Attack: How Hackers Achieved Root Access

Jun 26, 2026

Klue OAuth Breach Expands as Icarus Hackers Claim Salesforce Data Theft

Klue OAuth Breach Expands as Icarus Hackers Claim Salesforce Data Theft

Klue OAuth Breach Expands as Icarus Hackers Claim Salesforce Data Theft

Klue OAuth Breach Expands as Icarus Hackers Claim Salesforce Data Theft

Klue OAuth Breach Expands as Icarus Hackers Claim Salesforce Data Theft

Jun 23, 2026

Rokarolla Android Banking Trojan Targets 217 Banking and Crypto Apps

Rokarolla Android Banking Trojan Targets 217 Banking and Crypto Apps

Rokarolla Android Banking Trojan Targets 217 Banking and Crypto Apps

Rokarolla Android Banking Trojan Targets 217 Banking and Crypto Apps

Rokarolla Android Banking Trojan Targets 217 Banking and Crypto Apps

Jun 17, 2026

Microsoft June 2026 Patch Tuesday Fixes 200 Vulnerabilities and 3 Zero-Days

Microsoft June 2026 Patch Tuesday Fixes 200 Vulnerabilities and 3 Zero-Days

Microsoft June 2026 Patch Tuesday Fixes 200 Vulnerabilities and 3 Zero-Days

Microsoft June 2026 Patch Tuesday Fixes 200 Vulnerabilities and 3 Zero-Days

Microsoft June 2026 Patch Tuesday Fixes 200 Vulnerabilities and 3 Zero-Days

Jun 10, 2026

ChatGPT Share Links Abused to Deliver Malware Through Fake OpenAI Outage Pages

ChatGPT Share Links Abused to Deliver Malware Through Fake OpenAI Outage Pages

ChatGPT Share Links Abused to Deliver Malware Through Fake OpenAI Outage Pages

ChatGPT Share Links Abused to Deliver Malware Through Fake OpenAI Outage Pages

Jun 3, 2026

Get updates in your inbox directly

You are now subscribed.

Get updates in your inbox directly

You are now subscribed.

Get updates in your

inbox directly

You are now subscribed.

Get updates in your inbox directly

You are now subscribed.

Enable your employees as first line of defense and expand your digital footprints without any fear.

Enable your employees as first line of defense and expand your digital footprints without any fear.

Enable your employees as first line of defense and expand your digital footprints without any fear.

Enable your employees as first line of defense and expand your digital footprints without any fear.