Tech

Google and FBI Target Massive Botnet That Silently Uses Home Devices to Stop Cyber ​​Crime

The FBI, in partnership with Google and other tech companies, has busted NetNut, a public-facing residential networking service that secretly hosted a botnet that controlled nearly two million Android TVs and similar smart home devices. The network was used for password spraying, authentication attacks and other malicious activity.

Residential proxy botnets make malicious traffic appear as normal Internet use, allowing everyday devices to be secretly hijacked by cybercriminals to conduct illegal activities using the home Internet. Infected home devices were often preloaded with malicious software used by botnets, making private home security practices ineffective at detecting and stopping the problem.

According to an FBI statement emailed to CNET, on July 2, the federal agency conducted “a court-ordered seizure of multiple domains as part of a coordinated law enforcement action with the Department of Justice and the IRS Criminal Investigation targeting infrastructure associated with the NetNut proxy platform, its administrators and users.”

Authorities worked closely with Google, Lumen Technologies and the Shadowserver Foundation to track down NetNut and its services — also known as the Popa botnet by security researchers. Google said in a blog post that these actions “caused a significant disruption to NetNut’s proxy network and its business operations, reducing the number of devices available to the proxy operator by millions.” The NetNut website now displays an FBI takedown notice.

Google has admitted that the NetNut takedown is only the first step. Because these proxy networks often share and resell access to each other’s botnets, disrupting one provider often leads malicious actors to simply buy capacity from a competitor. To create a lasting impact, Google said it must “target the infrastructure of multiple interconnected providers” at the same time.

Notice of NetNut takedown by FBI, IRS, and several technology companies.

NetNut’s official website has been taken down by this hijacking notice.

The FBI

How did this botnet work?

In 2024, security researchers at XLab discovered the Vo1d botnet, a large collection of hacked Android TV devices, most of which were off-brand. If you remember the fake AI video of Donald Trump and Elon Musk appearing on TVs at the Department of Housing and Urban Development, it may have been caused by a malicious actor using the Vo1d botnet.

Those same researchers also discovered Popa, an official protocol network plug-in that turned consumer devices into proxy nodes for user authorization. But the version the researchers discovered was being installed on jailbroken Android TV devices without the user’s consent. According to the FBI, a proxy server is “an intermediate server between people and the websites they visit to make their communications appear to be coming from somewhere else.”

Residential proxy networks are legal in the US, and the businesses that use them typically sell access to business customers, where they are often used for security penetration testing, ad verification, collecting marketing data and opening geo-locked websites. Since residences use real IP addresses from a person’s home, the company or person using the node is seen by the World Wide Web as just an ordinary user, and their real identity is hidden.

Android TV devices that were part of the Vo1d botnet and infected by Popa allowed cybercriminals to attack, extract data from infected devices seeking sensitive information such as passwords, and even hijack the device to perform malicious activities, all while appearing to leave the house across the street or the apartment across the hall without actually being there.

This is where NetNut comes in. NetNut is a public-facing residential network operator owned by Alarum Technologies, a publicly traded company based out of Israel. According to Google, it was one of the largest residential proxy network operators in the world.

From the outside, NetNut appears to be a legitimate business and has an official website where you can purchase its services. However, late last month, several researchers confirmed that the traffic generated by the Popa botnet was coming from NetNut users. This meant that NetNut was effectively selling its botnet to anyone, for both legal and illegal use, which gave the authorities enough evidence to take the company down.

Stay safe from the next attack

The good news is that making sure you don’t end up as part of the next botnet running Android TV is actually pretty easy. According to Google and security researchers, most of the stolen devices were Android TV brands that you can get for free from Amazon, Temu, AliExpress and other online stores.

Most of those rods and broadcast boxes are cheap, but they work. The problem is that almost all of them are running old versions of Android, which are easy to hack since those devices don’t have the modern security that newer versions offer.

Some brands sell streaming boxes that promise free streaming without a subscription. This is often advertised on Instagram and TikTok by new-faced promoters who claim to offer a TV solution for unsubscribed streaming. Security researchers have found that most of those streaming boxes come preloaded with botnet software installed out of the box.

Therefore, the first step to avoid becoming part of a botnet is to only buy Android TV devices from reputable companies such as Sony, Nvidia, Google and others. Try to purchase using a modern version of Android and still get security updates. You should also avoid those “one price, no subscription” boxes on social media, as they come with pre-installed malware.

Botnets like this aren’t unique to Android TV. Smart home devices are also routinely included in botnets, so the second step to staying safe is to make sure you apply all of the above advice to your smart home products as well. You also have to keep up with the latest trends, such as promptware, a new type of malware that hacks your devices by asking the built-in AI to hack it for you.

The incident serves as an important reminder to beware of low-quality, cheap technology being sold by influencers — or risk having your ID information stolen. A general list of things is also helpful, such as making sure you have a strong password, learning to avoid phishing emails and not revealing personal information to suspicious characters online.



Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button