A joint operation involving Google has disrupted NetNut, a residential proxy network that gave access to millions of compromised Android devices, including smart TVs and streaming boxes.
Also known as Popa, the NetNut botnet allowed cybercriminals and espionage groups to hide behind legitimate home internet addresses when launching attacks.
According to the Google Threat Intelligence Group (GTIG), the residential proxy botnet is estimated to comprise at least two million compromised devices.
"GTIG estimates Netnut controls at least 2 million infected devices globally (including smart TVs and streaming boxes), powered by trojanized applications and botnets like Badbox 2.0 that package proxy plugins," Google told BleepingComputer.
Residential proxy networks work by compromising home systems and selling access to them, allowing threat actors to conceal malicious traffic by routing it through the victims' residential IP addresses.
Typically, home devices become part of the botnet after being infected with malware that is either pre-installed before purchase or added via malicious or trojanized applications downloaded by the user.
As a result, infected consumer devices serve as exit nodes in the botnet, routing unauthorized network traffic through their residential IP addresses, which can cause the devices to be flagged as suspicious or blocked by internet service providers or online services.
Dismantling the NetNut botnet involved a coordinated effort that included Google, the FBI, Lumen Technologies, The Shadowserver Foundation, and other industry partners.
FBI seized domain used by the NetNut residential proxy network
source: BleepingComputer
... continue reading