Notebookcheck Logo

When your smart TV secretly serves as cover for criminals

Smart TVs and streaming boxes are quietly becoming part of criminal proxy networks
ⓘ ChatGPT Image 1.5
Smart TVs and streaming boxes are quietly becoming part of criminal proxy networks
Google has worked with the FBI to dismantle the NetNut proxy network. A large share of the roughly two million compromised devices are smart TVs and streaming boxes in private homes that were secretly used as cover for criminal attacks. Here is how to identify and avoid the risk.

Google has shut down the NetNut proxy network, also known as Popa, together with the FBI, network operator Lumen, and other partners. What makes this case unusual is that it affects ordinary homes. A large share of the compromised devices are smart TVs and streaming boxes in people's homes. According to an estimate by the Google Threat Intelligence Group, NetNut included at least two million devices worldwide.

What a proxy network has to do with your TV

A residential proxy network sells the ability to route traffic through the IP addresses of ordinary home internet connections. Criminals use this to hide their origin behind an inconspicuous residential IP. For this to work, a piece of code has to run on as many devices in homes as possible, turning them into exit nodes. That code ends up on devices found in many households through so-called SDKs, especially smart TVs and streaming boxes, as KrebsOnSecurity documented in its own research. The malware reaches a device in one of two ways. Either it is preinstalled before purchase, or users unknowingly download an app with hidden proxy code.

Why this is dangerous for those affected

If your own device becomes an exit node, other people's traffic runs through your home connection. Your own IP address can then be used as a launch point for attacks, password attacks, or fraud. For those affected, this means their own legitimate traffic may be flagged as suspicious or blocked by a provider. Attackers can also use the hijacked node to access other devices on the same home network. In a single week in June 2026, Google counted 316 different attacker groups using NetNut nodes, including cybercriminals and espionage actors. Security firms such as Synthient, Spur, and Nokia Deepfield also documented that NetNut was used to infect devices with variants of the Mirai DDoS botnet.

What Google has done

Google blocked the accounts and services NetNut used to control its malware and shared technical details about the SDKs and infrastructure with authorities and security firms. Google Play Protect, Android's built-in protection system, now automatically warns users about apps containing NetNut code and disables them. According to Google, this reduced the available device pool by millions. However, this is not a self-sustaining solution. NetNut runs a reseller program that lets other providers resell the same botnet under their own names. Google expects operators to buy capacity from competitors once their own network starts to weaken.

How to protect your devices

Be cautious with apps that promise money for sharing unused bandwidth. That is precisely how networks like this grow. Google recommends using only official app stores, checking the permissions of third-party VPN and proxy apps, and keeping Play Protect enabled. When buying streaming boxes or set-top boxes, you should stick to reputable manufacturers. Whether an Android device is Play Protect certified can be checked directly with Google. For TVs, the Android TV site lists certified partners.

Google LogoAdd as a preferred source on Google
Mail Logo
static version load dynamic
Loading Comments
Comment on this article
> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2026 07 > When your smart TV secretly serves as cover for criminals
Steffen Zahn, 2026-07- 6 (Update: 2026-07- 6)