Popa

Popa is an Android proxyware SDK and botnet component that enrolls consumer devices—including phones, tablets, streaming boxes, and unofficial Android TV boxes—into a residential proxy network. Reporting describes it as a communications-layer plugin associated with the Vo1d ecosystem and as a long-running Android-based botnet that has operated for roughly four years at large scale, with estimates ranging from about 1.5 million to 2.5 million distinct IPs per day. Popa has been linked in public reporting to advertising fraud, account takeovers, mass data scraping, and broader proxy abuse.

Functionally, Popa registers infected or enrolled devices with control infrastructure, maintains long-lived encrypted/TLS connections, receives relay server lists, and opens tunnels on demand to arbitrary destinations. Mentioned protocol elements include Register, Register Reply, Ping/Pong, Open Tunnel, Tunnel Status, Tunnel Message, and Close Tunnel. Reported registration and control paths include /initreq and /devicereg, with control or related domains including gmslb[.]net, safernetwork[.]io, tera-home[.]com, ninjatech[.]io, sdk.netnut.io, cyberprotector.online, and a decrypted Google Drive-delivered C2 value of nice-protect.com. Popa was specifically described as contacting lb.<C2>:5002/devicereg and receiving a peer_servers or servers list; closely related infrastructure observed in linked research used lb.gmslb[.]net:443/regdev and relay/front domains such as viki-play[.]com and star-layer[.]com.

Distribution has been observed through third-party Android apps, especially streaming, IPTV, utility, pirated, or modified TV applications. Named apps referencing Popa infrastructure include CRICFy, DooFlix, Sprozfy, RTS Tv, Flixoid, CyberFlix, Rapid Streamz, TvMob, and HD/OceanStreams. Synthient reported that analyzed samples often began relaying third-party traffic when the host app launched and that none of more than 20 observed publishers invoked the optional consent prompt present in Popa version 2.7.46.

The malware family has multiple related labels and variants, including Moneytiser, Loopop, Neupop, Hopanet, and Popanet. Reported package names include io.moneytise, io.popanet, io.nn.lp, io.nn.neunative, and io.nn.nativesdk. Later releases reportedly added fallback domains, Google Drive-hosted configuration, DNS-over-HTTPS, and a native variant intended to avoid detection. Synthient analyzed Popa version 2.7.46 from Android app com.ap.loveornot.

Researchers linked Popa’s backend and tunnel architecture to the Neunative proxy SDK and to RoboVPN’s bundled Neunative component, concluding these are different clients for the same proxy backend. Nokia Deepfield also reported a weak destination filter in the shared SDK design that blocks some private and reserved ranges but misses 0.0.0.0/8 and lacks a port blocklist, enabling a documented path to local ADB exposure via 0.0.0.0:5555 on Android- and Linux-class devices.

Public reporting cited in the content links Popa operationally to NetNut/Alarum Technologies, while noting that Alarum and NetNut denied operating a botnet or controlling the cited infrastructure. High-confidence observations in the content include direct communication by Popa-related samples with sdk.netnut.io and a controlled test showing traffic sent through gw.netnut.net:9595 emerging from a host running the Popa SDK.