Google, FBI dismantle NetNut residential proxy network
Google and the FBI dismantled NetNut, a residential proxy network of more than 2 million Android devices infected via trojanized apps and Badbox 2.0 malware.
Google and the FBI, working with industry partners and law enforcement, dismantled NetNut, a residential proxy network of more than 2 million Android devices infected through trojanized apps and malware such as Badbox 2.0. The network, also known as Popa, was used to route malicious traffic for cybercriminals and espionage actors.
The coordinated operation disabled NetNut’s command-and-control infrastructure and disrupted backend systems that allowed smart TVs, streaming boxes and other Android devices to act as residential proxies. Google removed or disabled accounts and services used for control, disabled the infected applications through Google Play Protect, and automatically warned potential victims. The company shared technical intelligence with partners and law enforcement to support the takedown.
NetNut’s operator rented access to the proxy pool to a range of threat actors and ran a reseller program that let other brands white-label the service. In one week in June, Google observed 316 distinct threat clusters using NetNut to obscure attacker locations during password-spray campaigns and to access victim environments.
Investigators traced operational links to the publicly traded Israeli firm Alarum Technologies Ltd. The network relied on trojanized applications and known malware families, including Badbox 2.0, to infect devices and establish persistent proxy connections. Once enrolled, a device could carry traffic to hide the true origin of malicious operations.
Google wrote that the coordinated action reduced the available pool of devices for the proxy operator by millions. The company added that disrupting a single operator can lead competitors to buy capacity from each other, requiring action against multiple interconnected providers. “We believe our coordinated actions have caused significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions,” Google wrote.
The disruption follows the January takedown of a separate large proxy operation, IPIDEA. Industry and law enforcement expect a ripple effect as operators change tactics or buy access from rival services.
Google and security teams urged device owners to check for and remove suspicious applications, keep devices updated, and enable platform protections and trusted app sources. The takedown involved networks that monetize compromised consumer devices by selling location-hidden routing used in criminal and espionage activity.




