Google, the FBI, and other organizations coordinated in a joint effort to dismantle NetNut, a massive residential proxy network.
Also known as Popa, NetNut is believed to consist of more than 2 million Android devices such as smart TVs and streaming boxes, that have been infected through trojanized applications and malware such as Badbox 2.0.
The network’s operator, linked to the publicly-traded Israeli firm Alarum Technologies Ltd, rented the residential proxies to various threat actors, including cybercriminal and espionage groups.
In a single week in June, Google observed 316 distinct threat clusters using NetNut to hide their locations in password-spray attacks and to access victim environments.
“We believe our coordinated actions have caused significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions,” Google said.
As part of the operation, the internet giant disabled Google accounts and associated services used for command-and-control (C&C), dismantling the botnet’s backend infrastructure.
Additionally, it disabled the infected applications via Google Play Protect and automatically warned victims of the threat. Google also shared threat intelligence with industry partners and law enforcement.
According to Google, NetNut is not only selling access to the residential proxy network under its own brand, but also operates a reseller program, allowing other popular brands to whitelabel the NetNut botnet.
The NetNut takedown follows the January disruption of IPIDEA, and is expected to have a ripple effect across the ecosystem.
“What we have observed is that when faced with the degradation of their own botnet, proxy operators begin buying capacity from their competitors, effectively becoming a reseller. We recognize that creating a lasting disruption in this fluid ecosystem means we must scale our efforts to target the infrastructure of several interconnected providers,” Google says.
Related: Google Sues Operators of 10-Million-Device Badbox 2.0 Botnet
Related: 15,000 WordPress Websites Cleaned Up in SocGholish Botnet Takedown
Related: Dutch Police Dismantle Massive 17-Million-Device Botnet
Related: GlassWorm Botnet Disrupted
Related: Aisuru and Kimwolf DDoS Botnets Disrupted in International Operation
