23 June 2026

Executive Summary

During our investigation into Android TV and streaming applications, Qurium identified dozens of Android (APK) packages containing a software component that transformed a diverse collection of IPTV players, streaming applications, and media-related Android software into residential proxies.

At first glance, the applications appeared to just offer television streaming, IPTV playback, media consumption, and related services but they also participated in a residential proxy network known as Popa.

To better understand how Popa is currently used for proxying we installed a number of these applications in a controlled environment and allowed them to operate normally.

Our initial objective was to determine whether the Popa SDK component performed activities beyond those disclosed to end consumers.

A notable finding emerged almost immediately. A large majority of the tested applications did not present a meaningful consent dialogue informing users that their Internet connection would be used to relay traffic on behalf of third parties and become part of a residential proxy infrastructure. If any consent messages were present in the applications, none of them indicated the proxy provider that would be the beneficiary of the shared bandwidth.

Shortly after installation, devices contacted the “Popa” control infrastructure, registered with one of their backend systems, received lists of peers, and began forwarding traffic through our Internet connection. During the first hour we saw traffic targeting 100 different port numbers.

From that point onward our investigation shifted focus. The key question was no longer whether the applications contained “Popa” proxy functionality and if the devices where used by Netnut. The main research question did now become: what traffic is actually being routed through our infrastructure?

Poopa for Popa

To answer this question, we developed a collection and analysis framework internally known as “Poopa”. The research framework recorded each of the unwanted requests, flows, protocol metadata, destinations, ports, and behavioral characteristics of traffic traversing our network. The resulting dataset that contains more than 10 million domain requests provides a rare view into the practical use of a large residential proxy ecosystem.

Contrary to the simplified public narrative often associated with residential proxy providers, the observed traffic was not dominated by public-data collection activities. Instead, the dataset was heavily concentrated in advertising fraud, affiliate marketing, account-registration services, ticketing scalping, cryptocurrency exchanges, bypassing anti-bot systems or spam-delivery operations.

This is how Poopa was designed and what we learned.

From discovery to joining the Popa

The investigation began when we discovered a set of libraries (Loopop, Neupop, Moneytiser, Alpha) used by several Android TV applications that communicated with Popa’s main load balancer domain gmslb[.]net. For a more detailed break down of the libraries check the research work of Synthient!

The gmslb[.]net domain lead us to ninjatech[.]io and its close connection to Moishi Kramer from Netnut and Alarum Technologies.

We installed the streaming applications and we recorded how they performed registration operations, obtained peer lists, and established encrypted communications with backend systems. Shortly thereafter, third-party traffic began traversing the devices.

The onboarding process occurred automatically. No meaningful explanation was provided to users regarding the role their devices would play in the network. From an end user’s perspective, the applications functioned as expected. Video content could be viewed and media features appeared operational. In parallel, however, the devices were participating in a residential proxy ecosystem.

Rogue devices in our networks

Once the applications began forwarding third-party traffic, our investigation entered a new phase. As operators we felt responsible for understanding what rogue activities occurred through our infrastructure. Understanding the nature of this unwanted traffic is a standard operational practice among carriers and hosting providers.

The purpose of our analysis is:

Determine what kind of traffic is being routed through our network;
Identify the services and destinations involved;
Understand whether the observed behavior matched public claims regarding residential proxy usage;
Assess potential security and abuse implications;
Determine if the proxy provider is implementing any means to stop abusive behavior.

Our investigation focused on aggregated traffic characteristics, destinations, protocols, and behavior rather than the contents of individual user communications.

Building a research dataset

To understand the network at scale, Qurium developed “Poopa” a collection and analysis platform capable of recording requests, protocol metadata, flows, destinations, ports, and timing information.

Our “Poopa” analysis platform was deployed across multiple Popa instances in different geographical locations and collected more than 10 million proxy requests in just a few days.

In addition to HTTP and HTTPS metadata, “Poopa” captured flow summaries, SMTP sessions, destination ports, DNS behaviour, and other operational indicators.

Qurium has decided to share this very unique dataset as it contains information that will help the wider research community to understand the true meaning of “full web transparency and public good”. We encourage researchers to dig into the dataset and let us know what they find.

For example, after a few minutes digging the dataset, an American independent DDoS researcher found the domain dstatbot[.]win, a domain associated with a service called DDoS Dstat providing real-time traffic statistics and graphs for network traffic, particularly DDoS-related traffic.

Another researcher from Germany found close to 85,000 connections to “register-service.gmx.net”, likely to register free email accounts.

Traffic Beyond Web Browsing

One of the most significant findings was that the network carried substantially more than ordinary web traffic. Public descriptions of residential proxy services often focus on web browsing, public-data collection, search-engine monitoring, price comparison, or market research. Residential proxy providers embrace openness, the need of access to public data, the wonders of ethical scraping and so on.

However, the traffic observed through “Popa” demonstrated that the infrastructure was being used as a general-purpose residential relay. One of the early stages of “Popa” initialization is indeed to verify if port 25 (SMTP) is accessible at smtp.google[.]com.

Our analysis collected activity across hundred TCP ports and application families. Close to 20% of all proxy requests did not connect to a HTTPS website.

The largest volumes naturally occurred on ports 80 and 443 corresponding to HTTP and HTTPS traffic.

The HTTP affiliate-related traffic observed in the dataset is concentrated around a small number of advertising-attribution and marketing-technology platforms, including AppsFlyer/OneLink, EZmob, Wisdo, and Bazertech.

However substantial activity was also observed on ports associated with:

Mail services (Spam Campaigns):
- SMTP
- IMAP
- POP3
Signaling and communications:
- MQTT
- XMPP
Exploitation attempts (0.0.0.0/127.0.0.1):
- MongoDB
- Android Debug Bridge (ADB)

Email-related activity was particularly notable. Traffic was observed on SMTP ports 25, 465, and 587, as well as POP3 and IMAP ports 110, 143, 993, and 995. Analysis of SMTP sessions revealed repeated delivery attempts associated with large-scale spam campaigns.

During the time of our analysis, we found that many messages were written in Japanese and impersonated logistics companies, parcel-delivery services, and e-commerce providers.

Subjects of the emails included:

“Your package will be delivered tomorrow.”
“Shipment completed.”
“Please confirm delivery information.”
“Important delivery notice.”

The campaigns followed patterns commonly associated with phishing and credential-harvesting operations.

Another notable category involved Android Debug Bridge traffic on ports 5555, 5556, and 5557. Multiple requests targeted destinations such as:

0.0.0.0:5555
0.0.0.0:443
c.cx:443
boom.abuse.st:5555

These findings indicate attempts to reach Android administration interfaces and other non-web services through residential connections.

The Top 100 Domains

Although we recorded more than 10 million proxy requests and almost half-million of different domain names, 70 domain names represent 50% of the total number of requests.

The largest category by volume was advertising attribution and affiliate-marketing infrastructure. The single most frequently observed destination was app.appsflyer[.]com. AppsFlyer operates one of the world’s largest attribution systems for mobile applications. Appsflyer SDK, that is embedded in their customers applications, include calls to to the domains seen in our dataset. We also found several domains associated to gambling and betting apps involved as: bet22, bybit or CFD trading broker vtmarkets.

app.appsflyer[.]com
impression.appsflyer[.]com
impressions.onelink[.]me
dhgate.onelink[.]me
bybit.onelink[.]me
bet22client-custom.onelink[.]me
vantagefxapp.onelink[.]me

The second major category consisted of advertising infrastructure:

googleads.g.doubleclick[.]net
ad.doubleclick[.]net
pubads.g.doubleclick[.]net
securepubads.g.doubleclick[.]net
pagead2.googlesyndication[.]com
analytics.google[.]com

Retail and ecommerce destinations included:

www.mediamarkt[.]nl
www.bol[.]com
login.bol[.]com
m.dhgate[.]com (marketplace in China)
api.johnlewis[.]com
www2.hm[.]com
m.media-amazon[.]com
shopifysvc[.]com

Another major cluster involved ticketing infrastructure. Ticketmaster and FIFA infrastructure appeared prominently throughout the collection.


services.ticketmaster[.]com
queue.ticketmaster[.]de
queue.ticketmaster.co[.]uk
availability.ticketmaster[.]nl
access.tickets.fifa[.]com
fwc26-shop-usd.tickets.fifa[.]com

We also show connections to cryptocurrency and trading-related services as:

api.binance[.]com
api.bybit[.]com
api.gateio[.]ws
www.okx[.]com
hedgewing[.]ai

Also we found that a website polar-tensor[.]com was likely flooded (DDoS) with requests via “Popa” and that almost 60K requests routed via our nodes reached DDOS Stats service dstatbot[.]win.

Phishing Campaigns

The email findings represent one of the clearest examples of non-web activity. We observe large volumes of SMTP traffic that appeared to form part of coordinated spam campaigns impersonating logistics providers and delivery companies. The campaigns relied heavily on themes involving:

Package delivery
Shipment tracking
Account verification
Payment confirmation

These findings demonstrate that the network was being used not merely for browsing activity but also for active message-delivery operations. Spamhaus reported in April 2025 that the China-nexus phishers group started to use residential proxies to conduct their campaigns. The mails we recorded with “Poopa” math the signature of their phishing campaigns against Japanese.

A sample of one of the campaigns routed via Popa

Cluster	Hits	Unique subjects	Decoded subject examples
Japanese delivery / parcel lures	2,767	65	【まもなくお届け】配送状…, お届け予定のお知らせ, 配送状況のご案内, 商品配送に関するご案内
Japanese Amazon spoof / delivery	555	13	A m a z о nお届け予定のお知…, A m a z о n配送状況が更新…, A m a z о n商品は現在配送中
Chinese utility / lure subjects	96	11	验证码, 密码找回, 测试, 转发：2859893151, 照片
English / Chinese greeting spam	73	46	Dear Friends：, Hello：, Howdy：, 亲爱的朋友你好：, 尊敬的同仁Hello：
Other / unclear	64	15	出荷手続き完了のお知らせ, Re：554135908, 老客户进
Japanese U-NEXT payment lure	48	1	U-N⁢EX⁡Tのお支払い⁡方法を⁣再設定し⁣てください
Japanese Visa-card phishing	11	3	Visaカードの登録内容を再確認してください。, Visaカード登録情報を見直していただけますか

Ethical web scraping made simple

Residential proxy providers frequently market their services as tools for collecting public information. Typical marketing materials emphasize the wonders of ethical scraping for:

public web data
price monitoring
market research
SEO monitoring
brand monitoring

The observed dataset presents a different picture. The highest-volume destinations were not public-information websites.

Instead they consisted largely of:

advertising attribution systems (appflyer)
affiliate-marketing infrastructure (vtmarket)
account-registration systems (gmx, earthlink)
ticketing platforms (ticketmaster)
cryptocurrency services
spam-related activity
gaming (roblox)

Our observations do not imply that every customer of the proxy network was engaged in abuse. However, it demonstrates that the practical uses of residential proxy infrastructure extend far beyond the collection of public web data. We also believe that customers of residential proxies are largely unaware of how the residential proxy IP addresses are really obtained and harvested. Universities and research institutions are often offered access to special free proxy packages.

Conclusion

In our previous investigation we showed how “Popa” transformed consumer devices into residential exit nodes closely connected to Netnut-Alarum Technologies.

To understand better how the “Popa” applications work, we joined “Popa” network and offered our bandwidth fore free. Through the analysis of more than ten million proxy requests, we found that the network carried substantially more than ordinary web-browsing traffic. The observed destinations included advertising-attribution and affiliate-marketing fraud, ticketing scalping, massive account-registration activity and large-scale spam campaigns.

These findings demonstrate that the network is being used to facilitate a broad spectrum of “commercial activities” that depended on access to residential IP addresses.

Operators of residential proxy infrastructures such as NetNut publicly state that they maintain policies, procedures, customer-verification processes, monitoring systems, and technological safeguards designed to prevent abuse of their networks. According to their public statements, these measures are intended to identify, limit, and address malicious or unauthorized use of proxy resources.

However, our findings raise serious questions about the effectiveness of such safeguards in practice. The traffic observed during our investigation included substantial volumes of activity consistent with unsolicited email campaigns and spam distribution. Notably, our data suggests that even one of the most widely recognized and technically straightforward categories of online abuse as email spam was able to traverse residential proxy infrastructure at significant scale.

This indicates that either the advertised controls were unable to identify such activity, were not applied effectively, or were insufficient to prevent abuse from occurring through the network.

Our findings challenge the simplified public narrative often associated with residential proxy services. Rather than supporting only benign activities such as web public data collection or geo-testing, the ecosystem we observed appears to support a much broader range of commercial and potentially abusive uses. The scale and diversity of the traffic, combined with the apparent inability to prevent even basic forms of abuse, raise important questions about accountability, transparency, and the effectiveness of abuse-prevention mechanisms within the residential proxy industry.

Dig into Popa with “Poopa“

Popa.live is a dashboard that allows threat intelligence researchers to navigate across the 500.000 domains that have been seen in our “Popa” exit nodes. 70 domain names represent 50% of the total requests seen. To facility the navigation we have classified the domains by the different TLDs.

We have decided to share this very unique dataset as it contains information that will help the wider research community understanding the true meaning of “full web transparency and public good”. We encourage researchers to dig into the dataset and let us know what they find.

The dashboard generated during the investigation provides concentration metrics designed to identify dominant destinations and behavioral patterns. For each TLD you navigate to the top domains seen and how much height they have within the dataset.

Requests
Total number of requests observed.

Unique Domains
Number of distinct domains observed.

Top100 Share
Percentage of requests generated by the one hundred largest domains.

Single-Hit Domain Share
Percentage of domains observed exactly once.

Dataset Share
Percentage of the entire dataset represented by a category.

- Advanced metrics

Effective Domains (Neff)
The number of equally-sized domains required to produce the same concentration of traffic.

HHI (Herfindahl-Hirschman Index)
Direct measure of concentration. Higher values indicate stronger concentration.

Cookie	Duration	Description
adsight	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight1	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight2	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight3	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight4	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight5	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checbox-functional	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.