Research & Intelligence
Deep dives into internet infrastructure, threat actor tradecraft, and data analysis from the Synthient team.
Popa: From Sourcing to Distribution
Popa is an Android proxyware SDK that turns consumer devices (phones, tablets, streaming boxes) into residential proxy nodes. It ships inside third-party streaming, IPTV, and utility apps, and in the samples we analyzed it began relaying traffic at app launch with no consent prompt. Across samples analyzed, Popa communicated with NetNut-registered infrastructure, several carrying the cyberprotector[.]online C2 in the same APK. In a controlled test on June 17, 2026, a request we sent into NetNut's gateway exited through a device we had enrolled in Popa. Synthient assesses that at least some Popa-enrolled devices act as egress nodes for NetNut's proxy network. This is an analytic judgment, not a claim about NetNut's knowledge or intent; NetNut rejects it, and its full response is published alongside this report.
Stay updated
Get the latest research delivered directly to your inbox.
