Your Smart TV Is Secretly Routing Hacker Traffic

The TV in your living room went to sleep last night. Your home internet connection did not. While you were offline, your streaming box was quietly routing traffic for advertising fraud operations, credential stuffing attacks, and AI companies bulk scraping the web — all without asking you, and all without you ever knowing.

This is not a theoretical attack. It is a documented, large scale commercial operation, and researchers have traced it to a publicly traded company.

Key Takeaways

• The Popa botnet has enrolled 1.5–2.5 million Android TV boxes as active relay nodes every single day, with Nokia Deepfield estimating the total infected pool at 9–26 million devices.
• Alarum Technologies (NASDAQ: ALAR), an Israeli firm that operates the residential proxy service NetNut, has been linked to the botnet's control infrastructure by Krebs on Security.
• More than 42% of apps available on LG smart TV app stores contain SDKs that silently enlist televisions as proxy nodes, even when downloaded from official, curated storefronts.
• Traffic routed through compromised TVs is sold for ad fraud, account takeovers, and mass content scraping to train large language models.
• Owners have no visible indication their device is being used — the SDK runs silently inside apps that appear entirely legitimate.

What Is the Popa Botnet?

Popa is an Android proxyware SDK — a software component that can be embedded inside otherwise normal apps to turn any device running it into a relay node for third party internet traffic. The name originated with a company called Ninjatech, which sold a Popa branded SDK roughly five years ago with a stated policy of obtaining user consent before using any bandwidth. That code was subsequently sold, relicensed, and deployed at scale with the consent requirement stripped out entirely.

Researchers from Lumen's Black Lotus Labs and Nokia Deepfield identified the botnet as a component of the broader Vo1d malware family that has circulated on cheap Android TV hardware for several years. What makes Popa distinct is the scale of its commercial deployment: the daily active IP count of 1.5–2.5 million addresses represents real devices in real homes, each one quietly relaying traffic its owner never agreed to carry. Unlike the Badbox botnet that infected 10 million Android TV boxes, Popa has been traced directly to a publicly traded company's commercial infrastructure.

How Did Popa Get Onto Legitimate App Stores?

Popa spread through two distinct channels, which is part of what makes it so difficult to contain.

The first channel is the market for cheap, unofficial Android TV boxes — devices sold under hundreds of generic brand names on e-commerce platforms, frequently preloaded with malware before they ship. Security firm Kaspersky documented this supply chain attack in detail, showing how inexpensive boxes arrive compromised out of the box.

The second channel is more alarming because it touches devices most people consider safe: Samsung Tizen TVs and LG webOS TVs bought from reputable retailers, running apps downloaded from official storefronts. According to the Krebs investigation, more than 42% of apps on LG's app store and over 25% of apps on Samsung's Tizen platform contain proxy SDKs capable of enlisting the TV as a relay node. The SDK hides inside apps for streaming content, screensavers, and productivity tools. It does not announce itself. It does not request permission. It runs.

Who Is Behind It?

Krebs traced control domains for the Popa network — including ninjatech[.]io and safernetwork[.]io — to registrations tied to Moishi Kramer, who serves as VP of R&D at NetNut. NetNut is a residential proxy service operated by Alarum Technologies Ltd, a company listed on the NASDAQ exchange under the ticker ALAR.

Alarum has not confirmed the connection. The Krebs reporting notes that the company's position is that the original SDK code was sold and licensed to third parties years ago and that current deployments are beyond its control. That argument may satisfy a legal standard. It does not change what the network is doing to the devices it runs on.

What Is the Traffic Actually Used For?

Nokia Deepfield researcher Jérôme Meyer found that by 2025, proxy related queries accounted for more than 500 billion DNS lookups per month globally. The clients routing traffic through networks like Popa use it for three primary purposes.

Ad fraud operations use residential IPs to simulate real human ad views. Automated clicks from residential addresses are far harder for ad verification systems to filter than data center traffic, making compromised home devices worth real money to fraudsters.

Account takeover operations use the same residential IPs to run credential stuffing attacks — testing stolen username and password combinations against banking, retail, and social media platforms. Traffic originating from a home TV box in a residential neighborhood bypasses many of the IP reputation filters these platforms rely on. The same dynamic that lets ad networks ignore privacy opt-out signals 86% of the time makes residential proxies so valuable: home IPs look like legitimate users.

AI training data scraping has grown fastest in the past 18 months. Many of the world's largest proxy providers have updated their marketing to explicitly highlight utility for AI platforms. Over 70 copyright lawsuits have been filed against AI companies for scraping content without authorization — which is precisely why those companies pay for residential proxy traffic that is harder to detect and block.

Why This Should Concern Anyone With a Connected Device

Popa is not an isolated incident. Google filed a lawsuit in July 2025 against the operators of a separate botnet that had compromised over 10 million Android devices — mostly cheap TV boxes, tablets, and projectors. The Kimwolf botnet arrest in May 2026 involved up to 12 million unique IPs per week and DDoS attacks reaching 30 Tbps.

The pattern is consistent: cheap or free software on connected devices, a hidden SDK, bandwidth sold to whoever is paying. The business model depends entirely on users never finding out.

What Can You Actually Do?

The honest answer is that your options are limited if the SDK is baked into the device firmware or bundled inside a legitimate app on an official store. But several steps reduce your exposure.

• Audit installed apps ruthlessly. Remove anything you did not actively choose to install, particularly screensavers, "free streaming" apps, or utilities you cannot identify.
• Avoid sideloading. Apps installed outside official stores carry a much higher risk of containing proxy SDKs, but as this story shows, official stores are not clean either.
• Use a router level firewall or DNS filter. Tools like Pi-hole or a router with firmware such as OpenWrt can block known proxy control domains at the network level, preventing a compromised TV from phoning home even if the SDK is present.
• Prefer TVs with more restrictive app ecosystems. Roku, Apple TV, and Amazon Fire OS have tightened restrictions on background proxy SDKs in the past year. Samsung and LG have not moved as aggressively.
• Treat cheap Android TV boxes as untrusted hardware. Devices sold under generic brand names through marketplace storefronts have a documented history of arriving precompromised. If the device does not come from a brand with a meaningful support and security update record, assume it cannot be trusted on your home network.

Why Your Home Network Is the Target

The residential proxy industry exists because corporate security systems trust home IP addresses. A request arriving from a Comcast or Virgin Media residential address looks like a real person. A request from a data center does not. Your TV's IP address is valuable specifically because it appears trustworthy — and that value is being monetized without your knowledge by companies that have decided the fiction of buried consent language in a terms of service document is sufficient justification.

The Popa investigation marks a rare moment where that business model has been traced through domains and corporate registrations all the way to a NASDAQ-listed company with named executives. Whether regulators treat that as sufficient accountability remains an open question.