Disruption of the NetNut Botnet
In a coordinated operation involving Google, the FBI, and other partners, authorities have significantly disrupted the NetNut botnet, also known as Popa. This malicious network was built upon millions of compromised consumer devices, which were then sold as a residential proxy service. The service allowed buyers to route traffic through legitimate home IP addresses, masking their true origin.
The FBI defines residential proxies as intermediary servers that make connections appear to originate from legitimate ISP-assigned IP addresses on IoT devices like streaming devices, smart picture frames, or routers. After a device is compromised, its IP address can be used by threat actors to conceal illegal activity, effectively making the consumer appear responsible for the actions.
Methods of Compromise and Impact
The primary method for recruiting devices into the NetNut network involved tricking users into installing bandwidth sharing or proxyware applications. These apps promised payouts for sharing unused internet bandwidth while burying risks in fine print or lacking meaningful consent. In some cases, devices arrived pre compromised through grey market supply chains with malicious firmware. Once enrolled, the devices were used to relay password spraying attacks, account takeover attempts, advertising fraud, and Mirai based DDoS attacks.
The takedown focused on disabling Google accounts used for command and control, sharing indicators of compromise with platforms and law enforcement, and using Google Play Protect to warn users and disable apps containing NetNut code. This action has reportedly reduced the available pool of compromised devices by millions, delivering a major blow to the proxy service’s operations.
Staying Safe After the Takedown
Typical home users are unlikely to notice if their devices were part of the NetNut botnet, though they might experience slower performance, reduced internet speeds, or faster battery drain. After this disruption, the operators will likely attempt to rebuild their network or another botnet may fill the void. Users should be wary of apps that pay for unused bandwidth, stick to official app stores, check VPN and proxy permissions on devices, and use up to date security software.
Source: Malwarebytes

