Google disrupts NetNut residential proxy network built on 2 million devices

Google LLC has disrupted NetNut, one of the largest residential proxy networks in operation, degrading a service that had turned more than 2 million home devices worldwide into relays for other people’s internet traffic.

The action was carried out in coordination with the U.S. Federal Bureau of Investigation, Lumen Technologies Inc. and others. Google’s Threat Intelligence Group said the effort reduced the pool of devices available to the proxy operator by millions and caused significant degradation to the network and its business. The FBI seized several NetNut domains as part of the operation.

NetNut, also tracked as Popa, sells access to residential internet addresses that let buyers route traffic through real home connections. That makes malicious activity look like ordinary browsing rather than the datacenter traffic security tools tend to block. Google estimates the network spans at least 2 million devices, many of them smart TVs and streaming boxes that were either shipped with the proxy code preinstalled or picked it up through free apps that concealed it.

Google took three main steps. It disabled Google accounts and services NetNut used for malware command and control, shared technical intelligence on the network’s software development kits and back-end infrastructure with platform providers, law enforcement and research firms and set Google Play Protect to warn users and disable applications carrying NetNut SDKs.