Popa Botnet — Android TV Box Residential-Proxy Malware (Vo1d/Mzmess Plugin) Linked to NetNut / Alarum Technologies — Threadlinqs Intelligence
Threat ID: TL-2026-0858 · Severity: HIGH · Status: ACTIVE · Category: MALWARE
Attribution: Vo1d · FINANCIAL
Popa is a proxy-service plugin of the modular Vo1d/Mzmess Android malware that converts unofficial Android TV boxes and pirated streaming apps into a residential-proxy relay. It registers infected
Popa is one of four plugins of the modular Android malware family Mzmess, the second-stage payload of the Vo1d botnet (aka LinkDoor). The Mzmess architecture has three components: an 'entry' that downloads the SDK, an 'sdk' that self-updates and downloads plugins (using AES encryption and a shared key, with separate sdkbin, reportcompbin, and pluginbin request channels), and 'plugin' modules that execute business logic. The four observed plugins are Popa (com.app.mz.popan) and Jaguar (com.app.mz.jaguarn) for proxy services, Lxhwdg (com.app.mz.lxhwdgn) for remote access (purpose partly unknown, C2 offline), and Spirit (com.app.mz.spiritn) for ad promotion and traffic inflation.
Popa implements a persistent communications layer that registers a device, maintains long-lived encrypted connections, and opens communication tunnels on demand — effectively enrolling the device into a residential-proxy pool rather than conducting destructive attacks. Infected devices include unofficial Android TV boxes sold under thousands of brand names (e.g. X96 Mini and generic HDMI-stick devices) and pirated/modded streaming apps such as CRICFy, DooFlix, Sprozfy, RTS Tv, Flixoid, CyberFlix, Rapid Streamz, TvMob, and HD/OceanStreams. Researchers also reported proxy SDKs embedded in a large share of LG webOS apps (~42% of ~3,000 apps) and Samsung Tizen apps (~25%), plus mobile VPN, screensaver, and productivity apps. A VPN app named RoboVPN was tied to the Vo1d/Popa ecosystem.
The underlying Vo1d loader chain decrypts a package (ts01) containing install.sh, cv, vo1d, and x.apk, and an ELF variant tracked as s63. The malware masquerades under the package name com.google.android.gms.stable to imitate Google Play Services, and establishes persistence by listening for the BOOT_COMPLETED broadcast so it restarts after reboot. Network communications are protected with RSA (to prevent C2 takeover) and XXTEA-encrypted payloads whose keys are RSA-protected, with a Domain Generation Algorithm (DGA) backing C2 resilience.
The operation runs through an estimated 250-300 controller/Internet addresses directing activity and surfaces 1.5-2.5 million distinct IP addresses daily; researchers monitored 26 of 359+ known relay nodes, each handling roughly 35,000-60,000 simultaneous clients. Reporting (KrebsOnSecurity, Synthient, Qurium) attributes the commercial proxy layer to NetNut, a residential-proxy provider owned by publicly-traded Israeli firm Alarum Technologies Ltd (NASDAQ: ALAR); the control domain ninjatech[.]io was linked to Moishi Kramer, identified as NetNut's VP of Research & Development. NetNut stated the relevant code 'was sold and licensed to third parties including resellers years ago,' while Synthient assessed with high confidence that Popa-infected devices forward traffic from NetNut clients. New Popa control domains were registered following the July 2025 Badbox 2.0 takedown by Google, HUMAN Security, and Trend Micro.
Weaknesses (CWE)
CWE-506, CWE-829, CWE-940
Target sectors: consumer, media, advertising, technology
Target regions: Global, South America, Africa, South Asia, Southeast Asia
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 24 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
MALWARE, HIGH, threat intelligence, cybersecurity, T1583, T1587, T1584, T1195, T1204, T1546, T1655, T1406, T1407, T1573