Google Disrupts Massive Botnet Exploiting Smart TVs for Cybercrime
Leave a Comment / Cybersecurity, Data Protection, Enterprise Technology, Industry News / By cxojunction
As cybercriminals increasingly target internet-connected devices, smart TVs and streaming devices have emerged as a new attack vector. In a major cybersecurity operation, Google, in collaboration with the FBI and Lumen Technologies, disrupted a large-scale botnet that exploited millions of Android-based TV streaming devices to route malicious internet traffic for cybercriminals.

According to Google, the botnet, known as “Popa,” was linked to an Israeli residential proxy service called NetNut. The service allegedly leveraged millions of compromised TV streaming devices to build a proxy network that enabled cybercriminals to conceal their real IP addresses while carrying out cyberattacks.
Google‘s investigation revealed that NetNut’s network appeared to include at least 2 million devices worldwide. The company also identified 316 different threat groups that were using suspected NetNut proxy exit nodes to conduct activities such as account hijacking, password spraying, cyber espionage, and other malicious online attacks.
Google warned that when a consumer device is unknowingly turned into a proxy exit node, unauthorised internet traffic is routed through it without the owner’s knowledge. This not only exposes the affected device but can also put other devices connected to the same home network at risk. In some cases, the compromised traffic was also used for ad fraud by artificially inflating website traffic.
The company further stated that NetNut allegedly expanded its network by distributing software development kits (SDKs) through smart TVs and streaming devices. These pre-installed SDKs reportedly allowed the service to maintain hidden access to devices and route internet traffic without user consent.
To dismantle the operation, Google disabled the accounts and services used to control the botnet. It also updated Google Play Protect to automatically disable applications containing the NetNut SDK and block future installations. In parallel, the FBI seized the NetNut.com domain, although the NetNut.io website remains active.
Google has advised consumers to purchase streaming devices only from trusted manufacturers and avoid applications that offer payments in exchange for sharing unused internet bandwidth, warning that such apps commonly serve as entry points for malicious proxy networks.
In response to the development, NetNut’s parent company stated that it would fully cooperate with law enforcement authorities and support investigations into any misuse of its infrastructure.
This incident underscores the growing cybersecurity risks associated with Internet of Things (IoT) devices and highlights how everyday connected devices can be exploited to power large-scale cybercrime. For businesses and consumers alike, it serves as a reminder that securing connected devices, installing trusted applications, and purchasing hardware from reputable manufacturers are essential steps in reducing cyber risk.
CXO Junction remains dedicated to providing you with exclusive insights into transformative leadership journeys. Stay tuned for more updates as we continue to bring industry news to you.
