Finding “Popa”: When Your Smart TV Stops Being Yours

18 June 2026

In May 2026 the website of Arab Reporters for Investigative Journalism (ARIJ) was targeted by a large-scale scraping event the site, receiving traffic from approximately 1.35 million unique IP addresses, spread across more than 7,300 autonomous systems and 223 country codes. Qurium’s investigation “Opaque Scrapers Hiding in the Crowd” exposed that the observed behavior of the massive scraper attack was consistent with the Israeli owned NetNut’s ISP-integrated proxy model. NetNut claims that they scrape content in large scale without the use of proxies.

Less than a month after the release of Opaque Scrapers, Qurium, working with independent threat intelligence researchers including the Nokia Deepfield Emergency Response Team and Synthient, releases new findings that identify the underlying infrastructure of the scraping event to “Popa”: a residential proxy software family that turns consumer devices into Internet relay nodes.

All Qurium’s investigations on Opaque Scrapers can be found at “AI and Scrapers“.

Who is Popa?

Popa is an architecture designed to enroll devices so that they can later participate in a residential proxy network, either with or without the informed consent of the device owner, depending on how it is deployed. Once enrolled, a device can act as a relay or exit node, allowing third parties to route their traffic through what appears to be a normal residential Internet connection.

Popa has been found as a plugin component associated with the Vo1d botnet, a large-scale malware campaign targeting Android-based TV boxes and similar devices. Rather than being the entire malware itself, Popa functions as a networking layer that provides tunneling capabilities.

In the case of Vo1d, the main botnet infects and manages devices, while the Popa module can be later added to establish communication with command-and-control infrastructure, register the device, and transform it into a node that can forward traffic for the residential proxy operator. This broader infrastructure is commonly referred to as Popanet, while Popa is the plugin component (SDK) used in the Vo1d botnet. Popa can be also integrated in compromised applications including VPNs, streaming services, games or torrent clients.

We heard first time from the existence of this component thanks to a research article of Xlab that discovered through reverse engineering of Android applications the ability of the Vo1d malware to download and update its plugins. Researchers analyzing Android APK files found Java packages and classes associated with this tunneling networking framework that included references to the package io.popanet.

So Popa is not a traditional downloader or banking trojan, the ultimate goal of the code is just to implement a persistent communications layer capable of registering a device, maintaining long-lived encrypted connections, and opening tunnels on demand.

Not differently from many other types of malware, Popa does not connect directly to a fixed command-and-control server. The compromised device starts by connecting a limited set of domain names to later on learn where to register and tunnel the traffic. When Popa was exposed first time, Xlab disclosed the following domains as part of their command and control (C2):

gmslb[.]net
phonemesh[.]org
linkmob[.]org
peercon[.]org
phonegrid[.]org
safernetwork[.]io
lbk-sol[.]com
sklstech[.]com
kyc-holdings[.]com

All these domains run a “load balancing” subdomain of the form lb.front_domain (lb.gmslb[.]net), which acts as first stage bootstrap or load-balancing service. Once contacted, the Popa plugin retrieves the address of an operational backend server of the form s####.backend_domain and then establishes communications, typically observed over TCP port 6000.

This tunneling architecture allows the operators to dynamically redirect clients to new tunnel endpoints without modifying the application running in the compromised device.

History matters

After two large scraping events that targeted our hosted organizations in May 2026, we decided to discover more about the infrastructure that was likely behind the 1.4 million addresses that targeted our hosted websites. The geolocation of the traffic distribution of the global scraping events made us look into the Vo1d botnet and Popa.

We started by looking into the infrastructure used by gmslb[.]net since March 2022 and found a larger collection of domains mimicking the same “lb.” – “s###” domain pattern.

axe-net[.]com
byte-armor[.]com
byte-buff[.]com
cool-horizon[.]com
dnetk[.]com
earth2trust[.]com
fast-mob[.]com
flexible-networks[.]com
ginuary[.]com
gmslb[.]net
grid-push[.]com
house-spirit[.]com
kyc-holdings[.]com
lbk-sol[.]com
link-flux[.]com
linkmob[.]org
litics-net[.]com
mob-hit[.]com
net-echo[.]com
newcommreview[.]com
nice-protect[.]com
ninjatech[.]io
nova-lan[.]com
novel-layer[.]com
noverland[.]com
peercon[.]org
phonegrid[.]org
phonemesh[.]org
pixellog[.]io
pulse-vol[.]com
sdkmob[.]org
shield-sky[.]com
sklstech[.]com
sky-borders[.]com
star-layer[.]com
safernetwork[.]io
swift-zip[.]com
tera-home[.]com
vault-sentinel[.]com
viki-play[.]com
voltix-net[.]com
worker-net[.]com
world2trust[.]com
yoursfind[.]com
zen-tava[.]com
zync-stream[.]com

We checked their registration dates, the locations where they were hosted and we found three domains that provided us with some extra ideas of where to keep investigating:

  • safernetwork[.]io used DNS ns1.ntnt.io until November 2022.
  • tera-home[.]com run records of the form s248.tera-home.com that overlap with infrastructure we discovered while investigating the Sneaker Proxy ecosystem supported by NetNut
  • ninjatech[.]io a very early pre-cursor domain name in the same infrastructure that run dozens of load balancing records from 2020 with sdk# subdomain pattern.

The next step was to identify what applications apart from compromised AndroidTV by Vo1d have been talking to lb.gmslb.net.

A VPN that is more than a VPN

A review in virustotal gave us a glimpse of the kind of applications that have interacted with gmslb.net. We found dozens of pirated/modded streaming apps, especially CRICFy, DooFlix, Sportzfy, RTS TV, Flixoid, CyberFlix, Rapid Streamz, TvMob, and HD/Ocean Streamz.

Days before, while investigating Alarum Technologies Ltd and NetNut we learn about RoboVPN, a consumer VPN service run by CyberKick, a business unit now owned by Alarum Technologies Ltd. (formerly Safe-T Group Ltd.). In 2021, Safe-T acquired CyberKick as part of its strategy to expand into “consumer privacy and internet-access products”, and subsequently rebranded as Alarum Technologies.

RoboVPN includes an additional component: neonative.dll. The library could also be found in other Windows samples as neunative-m.exe.

The significance of this library is that it communicated with infrastructure associated with gmslb.net, the domain controller behind the Popa ecosystem, the very same command and control server used by the Vo1d/Badbox botnet.

The Mother of Torrent Clients

MediaGet is a free peer-to-peer (P2P) torrent client and media management application that allows users to search for, download, and play digital content like movies, music, and games. The app is signed by Global Microtrading PTE. LTD (Singapore). According to the company registry the company is in the Internet advertising and performance marketing.

MediaGet website offered us a very recent version of “neunative” at https://mediaget[.]com/installer/binaries/neunative_setup_2_2025-06-17.exe

The binary contains the Popa SDK neonative.dll that is bundled as part of MediaGet. We run the binary in a Any.run sandbox and found an outbound connection to Popa C2: lb.net-echo[.]com to later on connect to backend server (s1408). Once the device registration completed, our machine started to receive proxy requests.

At the time of this writing the neonative.dll library contains three hardcoded domains
sky-borders[.]com, tera-home[.]com and net-echo[.]com. The library also contains a fallback mechanism to find new domains using Google Drive.

MediaGet (Torrent Client) is an interesting example of an application that bundles the SDK of multiple proxy providers including Bright Data, AnyIP, Soax and our “Popa Neonative”.

During our review we reviewed dozens of pirate streaming applications that as Flixoid containes the Popa neunative bundle. The neunative library (gms-native-sdk) found in several applications offering free streaming services makes the users part of the residential proxy network. The library provides control to the backend server to operate “named tunnels” as persistent communication pathways. Inside this tunnels, a TLV (Type-Length-Value) metadata is injected directly into the data packets. We refer to this protocol as “Popa TLV”.

This means in practice that users running these apps in Firesticks or Android TVs are exit nodes of Netnut’s residential proxy network.

A Ninja that is not a Ninja

In early June 2025, Google, Trend Micro, and Shadowserver conducted an operation aimed to disrupt Badbox 2.0, a botnet associated with Vo1d. Many domains associated with the proxy traffic distribution of Popa were taken down and sinkholed. Not surprisingly after the domains were taken down dozens of new domains were registered to replace them.

2011-12-07T03 | ginuary[.]com
2014-08-24T07 | dnetk[.]com
2020-01-29T14 | ninjatech[.]io
2021-03-21T07 | newcommreview[.]com
2022-03-06T07 | gmslb[.]net
2022-09-19T10 | kyc-holdings[.]com (sinkholed)
2022-12-13T09 | sklstech[.]com (sinkholed)
2023-05-24T15 | lbk-sol[.]com (sinkholed)
2023-06-19T08 | pixellog[.]io (sinkholed)
2024-04-07T09 | linkmob[.]org (sinkholed)
2024-04-07T09 | peercon[.]org (sinkholed)
2024-04-07T09 | phonegrid[.]org (sinkholed)
2024-04-07T09 | phonemesh[.]org (sinkholed)
2024-04-15T20 | safernetwork[.]io
2025-06-05T09 | sdkmob[.]org
2025-06-05T16 | fast-mob[.]com
2025-06-05T16 | swift-zip[.]com
2025-06-08T07 | byte-buff[.]com
2025-06-08T07 | house-spirit[.]com
2025-06-08T07 | novel-layer[.]com
2025-06-08T07 | star-layer[.]com
2025-06-08T07 | viki-play[.]com
2025-06-08T12 | byte-buff[.]com
2025-06-08T12 | house-spirit[.]com
2025-06-08T12 | link-flux[.]com
2025-06-08T12 | litics-net[.]com
2025-06-08T12 | nova-lan[.]com
2025-06-08T12 | novel-layer[.]com
2025-06-08T12 | noverland[.]com
2025-06-08T12 | pulse-vol[.]com
2025-06-08T12 | star-layer[.]com
2025-06-08T12 | viki-play[.]com
2025-06-08T14 | voltix-net[.]com
2025-06-09T10 | flexible-networks[.]com
2025-06-09T10 | grid-push[.]com
2025-06-09T10 | net-echo[.]com
2025-06-09T10 | zen-tava[.]com
2025-06-09T11 | axe-net[.]com
2025-06-09T11 | mob-hit[.]com
2025-06-09T11 | sky-borders[.]com
2025-06-09T11 | tera-home[.]com
2025-06-09T11 | zync-stream[.]com
2025-06-11T18 | worker-net[.]com (Registrant Country: IL)
2025-06-12T13 | earth2trust[.]com
2025-06-12T13 | world2trust[.]com
2025-06-12T13 | yoursfind[.]com
2025-06-16T13 | byte-armor[.]com
2025-06-16T13 | cool-horizon[.]com
2025-06-16T13 | nice-protect[.]com
2025-06-16T13 | shield-sky[.]com
2025-06-16T13 | vault-sentinel[.]com

But one domain that was quickly used to replace the sink-holed domains was not newly registered: ninjatech.io.

Thanks to the Internet archive we found a version of the website with the motto: “When product becomes complicated – You need Ninja”. The website promotes the Ninja SDK as means to monetize users’ idle bandwidth.

Twitter account of NinjaTech.
Archived copy of ninjatech.io website.
F6S account of “ninjatech.io”.
Archived copy of LinkedIn account of NinjaTech (deleted 16 June 2026).

The very same archived version of ninjatech[.]io pointed us to a Latvian company NinjaTech SIA (40203236112) registered in January 2020 in Brīvības iela 91-10, Rīga and liquidated in 2022.

The company was registered in the name of Moshe (Moishi) Yehuda Kramer who co-founded and built NetNut and is currently SVP R&D at NetNut. According to Alarum’s website (owners of NetNut), he is also Chief Strategy & Innovation Officer at Alarum Technologies.

On June 15, Qurium sent a right-of-reply request to Moshe Yehuda Kramer. The very same day, the LinkedIn profile of NinjaTech was removed. Moshe answered our Right-to-reply on June 16th. In his response he stated that NinjaTech ceased operations many years ago and that he needed time to review historical information. He further argued that the investigation appeared to combine factual historical information with assumptions and conclusions that may not be supported by the underlying facts, and cautioned against drawing broad conclusions from historical associations alone.

Moshe (Moishi) Yehuda Kramer

A cyberprotector

During our review, we found applications containing the Ninja SDK as early as January 2021. These early applications also used the domains:

cyberprotector[.]online
flixview.apis.cyberprotector[.]online
myrc[.]xyz
monetizeapp[.]net

Early versions of the SDK used third party reverse proxy libraries such as 3proxy, mproxy or frp.

We also found that in 2021, that “UK Turks” an unofficial third-party streaming application that provides free access to live TV channels included the Popa SDK bundled with LibraVPN a VPN developed by Safe-T.

Static analysis of the SDK shows that while the library contains consent components non of them are invoked. Our analysis of the most recent “Popa TLV” tunneling protocol reveals that no authentication functionality is implemented between devices registering and the back-end infrastructure.

At the time of this writing the monetization dashboard of Ninja Tech remains online.

A historical review of the domains sdk.netnut[.]io. api.cyberprotector[.]online, sdk.ninjatech[.]io shows that they were early-precursors of lb[.]gmslb.net the main load balancer of “Popa”. The domains have shared the very same hosting locations between 2021-2025

World Wild Streaming Apps

During our investigation we identified several implementations of “Popa” TLV tunneling protocol that just differ in registration parameters sent by the compromised device.

Early implementations of “Popa” for Android were written in Java while recent versions of the SDK has been replaced by a native C implementation built using an Android NDK LLVM toolchain of late 2021 (lib neunative).

In Virustotal we identified close to 5000 samples associated to the different “Popa” versions communicating with 46 control domains.The domains are used to tunnel traffic towards 300+ backend servers hosted in OVH, Hetzner and Akamai.

Once the modified applications register with a backend server, the device starts to receive requests for proxying traffic. The process does not include any authentication mechanism, no registration for the service, no consent. Nothing!

We consolidated the total list of samples into different pirate streaming App families. The results are mind blowing! The following table provides a summary of what we found including the streaming apps that contain the proxy SDK and what load balancer of Popa is selected during registration.

Smart Tube compromised

Smart Tube is a free open-source YouTube/media client for Android TV boxes and TVs. In November 2025, the community around the software discovered that code was compromised when Google Play Protect flagged the app as malicious. We traced back that the first compromised version was 28.56 and that all versions between 28.56 through 30.51 contained a residential proxy SDK. The first compromised version was released in June, so Popa was operating in for at least five months.

We checked several compromised versions of Smart Tube and found inside two libraries: libneunative and libalphasdk, both libraries are responsible to register and proxy traffic for the Popa backend infrastructure. The libraries implement the same tunneling protocol (TLV multiplexing) but differ in the different methods used to obtain the peer backend server.

In one app we found that the domain cyberprotector[.]online contained a white list of 94 applications allowed to run the SDK.

Some examples of apps containing early versions of Popa SDK

Conclusion

Taken individually, none of the pieces of evidence presented above would be sufficient to attribute the Popa ecosystem to a particular commercial residential proxy provider. However, when viewed together, they form a consistent pattern that strongly suggests a close relationship between the Popa architecture and the broader NetNut/Alarum ecosystem.

Our investigation identified multiple technical and historical overlaps. First, infrastructure associated with Popa shares naming conventions and operational patterns with domains that overlap infrastructure previously observed during our investigation of the NetNut sneaker proxy ecosystem

Second, one of the earliest domains in the ecosystem, ninjatech.io, predates many of the currently known Popa domains and openly advertised an SDK whose purpose was to monetize users’ idle bandwidth.

Third, the company behind that SDK, NinjaTech SIA, was registered in Latvia in 2020 in the name of Moshe Yehuda Kramer, who currently serves as Chief Technology/Science/R&D Officer at Alarum Technologies Ltd. This creates a direct organizational link between a company promoting a bandwidth-sharing SDK and the executive leadership of the corporate group that owns NetNut.

Fourth, the neonative.dll library, which communicates with Popa command-and-control infrastructure, was found bundled not only inside consumer applications such as MediaGet, but also inside RoboVPN, a VPN service operated by CyberKick, a business unit acquired by Safe-T Group and subsequently incorporated into what is today Alarum Technologies Ltd.

Taken together, these observations provide strong indications that the Popa ecosystem is closely connected to the NetNut/Alarum ecosystem. The convergence of shared infrastructure, overlapping domain patterns, SDK distribution mechanisms, historical DNS relationships, bundled software components, and corporate associations is unlikely to be coincidental.

Additional reading

Publications by research partners

[18 Jun 2026] Nokia Deepfield Emergency Response Team: A free download and a botnet: RoboVPN, Neunative, and the Vo1d/Popa backend

[18 Jun 2026] Synthient: Popa: From Sourcing to Distribution

[18 Jun 2026] KrebsOnSecurity: Popa Botnet Linked to Publicly Traded Israeli Firm

Previous research on Vo1d and Popa

Qurium’s past investigations on Opaque Scrapers

How a Sneaker-Proxy Business Entered the Scraping Industry
Opaque Scrapers Hiding in the Crowd