Google Cripples NetNut Proxy Network Spanning 2 Million Devices

 

Google has delivered a major blow to NetNut, one of the world’s largest residential proxy networks, by crippling its ability to route malicious traffic through millions of compromised home devices. The operation, conducted in coordination with the FBI, Lumen, and other partners, marks a significant escalation in the fight against infrastructure that cybercriminals rely on to hide their activities. 

Google’s Threat Intelligence Group (GTIG) estimates that NetNut—also tracked under the name Popa—spanned at least 2 million devices globally, including smart TVs, streaming boxes, and other internet-connected appliances. In a single week in June, Google observed 316 distinct threat clusters using suspected NetNut exit nodes to mask their location and carry out activities such as password guessing and malware distribution. By disabling accounts and services tied to NetNut’s command-and-control infrastructure, Google says it has reduced the network’s usable device pool by millions, severely degrading its business operations. 

NetNut grew by embedding its software development kit (SDK) into seemingly legitimate apps and firmware, often on low-cost or no-name hardware. Many victims unknowingly installed applications that promised payment for “unused bandwidth” or “sharing your internet,” a common lure for these networks. Once integrated, the SDK turned devices into relays for other people’s traffic, making malicious activity appear to originate from ordinary home IP addresses and helping attackers bypass security tools and geo-restrictions. 

Google’s response combined legal, technical, and user-protection measures. The company disabled infrastructure used for NetNut-related malware operations, shared detailed technical intelligence on the group’s SDK and backend systems with law enforcement, and worked with partners to seize domains controlling compromised devices. On the user side, Google Play Protect was updated to automatically warn users and disable apps found to integrate the NetNut SDK, while Google identified hundreds of Android apps and thousands of Windows files linked to the network’s infrastructure.

While Google describes the action as a “degradation” rather than a full takedown—NetNut also operates through reseller programs and white-label brands—the disruption raises the cost and complexity for attackers using residential proxies. For everyday users, the incident underscores the risk of installing obscure apps, especially those offering payouts for bandwidth, and of using cheap, unbranded streaming devices. Sticking to official app stores, reviewing app permissions, keeping Play Protect enabled, and buying hardware from reputable manufacturers remain the best defenses against ending up as an unwitting node in the next NetNut-style network.

This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents

Read the original article: