Google Leads Takedown of NetNut, a 2 Million Device Residential Proxy Botnet
A collaborative effort spearheaded by **Google** has successfully disrupted **NetNut**, a massive residential proxy network that leveraged over two million compromised Android devices, including smart TVs and streaming boxes. This botnet, also known as **Popa**, provided cybercriminals and espionage groups with a sophisticated method to mask their malicious activities behind legitimate residential IP addresses.
A significant international operation, led by **Google**, has dismantled **NetNut**, a sprawling residential proxy network. This network, also known as **Popa**, controlled an estimated two million compromised Android devices globally, including smart TVs and streaming boxes, using them to route illicit traffic.
### The Mechanics of a Residential Proxy Botnet
Residential proxy networks operate by infecting consumer devices with malware, often pre-installed or delivered via malicious applications. These compromised devices then serve as exit nodes, allowing threat actors to obscure their origins by routing malicious traffic through legitimate residential IP addresses. This not only conceals their activities but can also lead to the unsuspecting device owners being flagged by ISPs or online services.
**Google Threat Intelligence Group (GTIG)** confirmed that **NetNut** utilized trojanized applications and botnets like **Badbox 2.0** to package proxy plugins, enabling their extensive reach.

### A Coordinated Global Effort
The successful disruption of **NetNut** was the result of a coordinated initiative involving **Google**, the **FBI**, **Lumen Technologies**, **The Shadowserver Foundation**, and other industry partners. The **FBI** played a crucial role, seizing the primary domain *netnut.com*, among others used by the service.
**Mark Karayan**, Communications Manager at **Mandiant**, highlighted the interconnected nature of the proxy industry, noting that **NetNut** was one of the largest and most popular networks globally, with a robust reseller program.

### Impact on Threat Actors and Google's Role
**GTIG** reported observing 316 distinct threat clusters using suspected **NetNut** exit nodes in a single week last month, encompassing both cybercriminal and espionage groups. These actors leveraged the network for activities ranging from accessing their own infrastructure to conducting password-spraying attacks and reaching victim environments.
**Google**'s actions included disabling accounts and services on its infrastructure used by **NetNut** operators for command-and-control (C2), effectively cutting off critical backend infrastructure. Furthermore, **Google Play Protect**, the built-in security mechanism on Android, automatically warned users and disabled infected applications. The company also shared technical details on **NetNut**'s SDKs and C2 infrastructure with platform providers, law enforcement, and cybersecurity researchers.
This disruption is expected to have a significant ripple effect across the proxy industry, as many popular residential proxy services were fueled by **NetNut**'s capacity. This follows **Google**'s previous successful disruption of **IPIDEA** earlier this year, underscoring its ongoing commitment to combating residential proxy botnets.