Alphabet and FBI Collaborate to Disrupt NetNut Proxy Network, Reducing Millions of Compromised Devices

Deep News07-03 03:13

Alphabet Inc. has recently announced a coordinated, large-scale operation against the NetNut residential proxy network in partnership with the U.S. Federal Bureau of Investigation and entities like Lumen Technologies, significantly depleting the pool of infected devices available to the network. Also known as Popa, NetNut is an extensive residential proxy network that routes internet traffic for others through a minimum of two million connected devices globally, including smart TVs and streaming boxes.

While residential proxy networks can serve legitimate purposes such as ad verification, their ability to conceal traffic origins also makes them attractive to cybercriminal groups for hiding activities like malware distribution, phishing attacks, and data theft. The threat intelligence team at Alphabet estimates the network comprises at least two million devices. Attackers pay to route their traffic through these devices, making it appear as ordinary household browsing to evade detection by security tools.

In this operation, Alphabet implemented several key measures: it disabled accounts and related services used by NetNut for malware command and control; shared technical intelligence with law enforcement regarding the group's software development kit and backend infrastructure; and deployed Google Play Protect to automatically warn users and disable applications found to have integrated the NetNut SDK. Alphabet stated that these coordinated actions have severely degraded the NetNut proxy network and its business operations, reducing the proxy operator's pool of available devices by millions.

NetNut is a company established in 2017 and is a subsidiary of the Israeli cybersecurity firm Alarum Technologies. Prior research has indicated connections between NetNut and the Popa botnet. Investigations have revealed that numerous pirated or modified video streaming applications, such as CRICFy and DooFlix, have embedded the Popa SDK, causing users to unknowingly become proxy sources. Alarum Technologies has denied the allegations, stating its software is used for consented bandwidth-sharing features. However, researchers note that in over 20 applications they analyzed, no consent prompts to users were observed.

Alphabet has described this action as a "degradation" rather than an "elimination" of the network, as NetNut also operates through a reseller program allowing other companies to rebrand and resell its network. Previous actions against similar networks, such as IPIDEA, demonstrate that operators of this type possess a degree of resilience.

Disclaimer: Investing carries risk. This is not financial advice. The above content should not be regarded as an offer, recommendation, or solicitation on acquiring or disposing of any financial products, any associated discussions, comments, or posts by author or other users should not be considered as such either. It is solely for general information purpose only, which does not consider your own investment objectives, financial situations or needs. TTM assumes no responsibility or warranty for the accuracy and completeness of the information, investors should do their own research and may seek professional advice before investing.

Comments

We need your insight to fill this gap
Leave a comment