Popa: From Sourcing to Distribution

This report documents Popa, an Android proxyware Software Development Kit (SDK) that enrolls consumer devices from phones, tablets, and streaming boxes into a commercial residential proxy network. This report documents its relationship to NetNut and how. Popa leverages third-party partner apps to establish its residential proxy network. Synthient's research team is highly confident that the Popa SDK and its associated labels (Loopop, Neupop, and the “Moneytiser” variant) share operational infrastructure and telemetry with NetNut. This report expands on previous research published by KrebsonSecurity, Qurium Media Foundation and Nokia Deepfield. Our analysis is based on four main points:

1. Direct server communication, in which eighteen apps containing Moneytiser (first observed 2020-11-20 through 2026-05-23) communicate with NetNut's SDK endpoints.
2. Shared operational infrastructure at the SDK-distribution level.
3. Business connections and historical network data linked in Qurium's forensic investigation.
4. First-party network telemetry (first captured 2026-06-17) showing traffic from devices running the Popa SDK egressing through NetNut's commercial gateway under controlled test conditions.

We encourage organizations to refer to the indicators at the end of this report for blocking subsequent domains, IP addresses and files associated with Popa and its variants.

• A consumer-facing proxyware SDK has been continuously operated since at least 2020-05-29. Moneytiser and its associated Popa variants are distributed inside consumer streaming, IPTV, and utility applications. Across the samples we analyzed, the SDK began relaying third-party traffic at host-app launch without displaying an informed-consent prompt. Version 2.7.46 includes an optional consent-prompt capability (see User Consent); none of the publishers in our sample set were observed invoking it. This finding is limited to the samples and versions we examined and is not necessarily representative of all Popa builds. (Fact. VirusTotal; limited to the analyzed sample set)
• Popa-family samples communicate directly with NetNut's SDK endpoints. Eighteen distinct Android proxyware samples (first observed 2020-11-20 through 2026-05-23), communicate directly to sdk[.]netnut[.]io; multiple samples contact cyberprotector[.]online within the same Android Application. (Fact. VirusTotal)
• Public records, as compiled by Qurium, link the NinjaTech platform to NetNut leadership. According to publicly available business-registry data and historical site records analyzed by Qurium Media Foundation, the founder of the NinjaTech platform (ninjatech.io, registered 2020-01-29) is associated with executive leadership at NetNut. Synthient has not independently verified this individual-level linkage and reports it solely as compiled by Qurium from the public record. (Fact. as reported by Qurium / public business record)
• Network telemetry associates Popa-enrolled hosts with NetNut's proxy pool. On 2026-06-17, egress traffic with a specific request path was routed through NetNut's commercial gateway (gw.netnut.net:9595) and originated from a host executing the Popa SDK. (Assessment, high confidence)

Who Is NetNut?

NetNut is a residential and ISP-proxy provider. The domain netnut[.]io was registered on 2017-01-10, and that same year, the platform began operations, offering proxies priced from $3.50 to $15.00 per GB, depending on usage. Since then, NetNut has continued to expand steadily, with the platform offering more than just residential proxies, including datasets and curated web scrapers.

Figure 1. Landing page explaining NetNuts core business in 2017.(Archive.org)

What is Popa?

Popa is an Android residential proxy SDK that turns host devices into residential proxy nodes. As highlighted in public research by organizations such as XLab, the SDKs has been linked to larger operations, including the Vo1d campaign. With the first “Popa” sample distributed under the name Hopanet. Synthient’s Research Team also identified a previously unknown “Moneytiser” variant in circulation as early as 2020. Since then, the SDK has continued to be developed, with later releases including features such as fallback domains, Google Drive-hosted configurations, DNS-over-HTTPS (DoH), and a native variant to avoid detection.

Figure 2. Hopanet SDK and its usage of the early C2 server lb[.]gmslb[.]net (VirusTotal)

Table 1. PopaSDK Family Tree.

Synthient's Research Team analyzed v2.7.46, (latest version as of publication), which was recovered from the application with the package name 'com.ap.loveornot'. This app, uploaded to VirusTotal 3 months ago, is believed to be a later development build of Popa that leverages encrypted Google Drive files to resolve the relay servers.

Figure 3. VirusTotal Page for “love or not” (VirusTotal)

In later versions of Popa, the SDK uses AES-ECB-encrypted Google Drive blobs to retrieve the C2 servers. (Decrypts to nice-protect[.]com)

Figure 4. Popa Hardcoded Constants

Popa's device registration flow is handled in the PopaService file. With Popa, the device makes an initial request to the “/initreq” endpoint, which returns “YES” or “NO”, which decides if the device should be enrolled into the proxy pool.

Figure 5. PopaService Code for Constructing our device registration URLs.

The client then calls the “/devicereg” endpoint, which returns the list of relay servers it connects to for proxying.

Figure 6. Popa Relay Servers List

User Consent

Later builds of Popa have added the functionality for an “alertDialog” function which allows the publisher to prompt the user for consent. Even though this latest build (v2.7.46) does include the ability to ask for user consent, not all variants or previous versions of Popa contain this functionality. Of the over 20 genuine Popa publishers analyzed, none of them were observed asking for user consent.

Of the publishers tracked and shared in this report. Synthient’s Research Team observed a significant portion of them to be linked to piracy related applications. Bundling the ProxySDK in without the users consent.

On June 17, 2026, Synthient ran a controlled test using systems it operated on both ends. A request carrying the path “/NETNUT_EXT_TRAFFIC_FROM_PROXY” was issued toward the NetNut gateway at gw[.]netnut[.]net:9595 and arrived at a Synthient-operated honeypot, sourced from a host that was running the Popa SDK. No third-party traffic was involved at any point in the test.

In this controlled test, the request we issued into NetNut's gateway egressed from a device we had enrolled in the Popa SDK; no third-party traffic was involved. On that basis, Synthient assesses that at least some Popa-enrolled devices act as egress nodes for NetNut's proxy infrastructure. (Assessment. High confidence as to the observed egress relationship; based on the controlled test described, and not establishing how the SDK is distributed or whether NetNut is aware of its deployment by any given publisher.)

Figure 7. Helios Honeypots capturing Netnut traffic from Popa SDK.

Synthient's Research Team also observed the domain “sdk[.]netnut[.]io” being used by the Moneytiser SDK as observed by the references to cyberprotector[.]online.

Figure 8. Jizztagram application referencing the Moneytiser SDK which includes both the cyberprotector[.]online domain and sdk[.]netnut[.]io domain.

Personal

• Don't install untrusted applications.

Organizations:

• Block Popa C2 and relay servers as mentioned in the observables section of this report.
• Aggressive monitoring of SOCKS5 traffic: GhostSocks and other Malware families favor SOCKS5 due to its versatility. Monitoring for the usage of this protocol can reduce future risks.
• Don't unquestioningly trust the IP Address: Threat actors take advantage of overconfident security policies by using victim machines for fraudulent traffic. Just because the IP address is from a residential IP address does not mean it's safe.

Popa is an Android proxyware SDK distributed across multiple variants. Synthient's Research Team observed these samples enrolling consumer devices as proxy egress nodes from inside third-party apps. The SDK starts relaying traffic when the host app launches. Version 2.7.46 ships an optional consent-prompt capability; however, none of the 20+ publishers in our sample set were observed invoking it. This observation is limited to the samples we examined.

The samples beacon to sdk[.]netnut[.]io, carry the cyberprotector[.]online domain in the same APK, and the relay flow is visible in the code we analyzed.Public business records, as compiled by Qurium and not independently verified by Synthient, are reported to associate the founder of the NinjaTech platform with executive leadership at NetNut. Furthermore on 2026-06-17 we captured outbound traffic on the path /NETNUT_EXT_TRAFFIC_FROM_PROXY leaving a Popa host through NetNut's gateway at gw[.]netnut[.]net:9595.

On that evidence, Synthient assesses that traffic from at least some devices running the Popa SDK egresses through NetNut's commercial proxy gateway. This is an analytic judgment, not a statement of NetNut's internal knowledge or intent.NetNut rejects this. The company states that it operates a lawful proxy network and maintains KYC, customer due diligence, and misuse monitoring; its full response is reproduced in the Disclosure section. We have published the underlying artifacts so the reader can weigh the facts and our assessment independently.

Alarum Technologies Ltd. / NetNut was contacted for comment on June 18, 2026. NetNut responded the same day; its full response is reproduced below in its entirety, without edits.

Timeline

2026-06-18 - Synthient reaches out for inquiry regarding findings.

2026-06-18 - NetNut Responds.

2026-06-18 - Synthient publishes its side of the research in parallel with KrebsOnSecurity, Qurium, and Nokia Deepfield.

NetNut's Response:

“Dear Benjamin,

As you are no doubt aware, a commercial company, and all the more so a publicly traded company subject to legal, regulatory, confidentiality, and disclosure obligations, is generally not in a position to disclose or discuss non-public information in response to unsolicited inquiries from unaffiliated third parties. Equally unclear is what specific factual allegations are being advanced and what, if anything, the various references, assumptions, associations, and questions contained in your letter are ultimately intended to establish.

Beyond that, the information presented in your email bears little relation to whatever conclusions it may be intended to support.

To be clear, NetNut operates a legitimate commercial proxy network and maintains policies, procedures, and technological measures designed to promote lawful and responsible use of its services, including customer due diligence, KYC procedures, monitoring mechanisms, and measures intended to identify and address suspected misuse.

We reject the underlying premises and do not believe they provide a basis for further comment.

We take seriously the publication of allegations concerning our business and stakeholders, and trust that any report will be preceded by a careful review of both the underlying facts and the conclusions drawn from them.

Alarum and NetNut expressly reserve all rights and remedies with respect to any false, misleading, defamatory, or otherwise inaccurate publication.

Regards,”

This analysis is based on static and dynamic examination of a finite set of Android samples, network telemetry from controlled tests run by Synthient, and publicly available records. It is subject to the following limitations:

• The sample set is not exhaustive and may not represent all Popa variants, versions, or publishers in circulation.
• Attribution of C2 and relay infrastructure is based on observed network behavior (beaconing, DNS resolution, traffic egress) and shared indicators — not on access to any party's internal systems.
• This report does not establish, and does not purport to establish, the internal knowledge, intent, or culpability of NetNut, Alarum Technologies Ltd., or any individual. Where the evidence is consistent with more than one explanation. Including downstream misuse by publishers, white-label or reseller arrangements, or unauthorized use of an otherwise legitimate SDK. Statements are labeled (Fact. …) where supported by a directly observable, reproducible artifact, and (Assessment. …) where they represent the research team's analytic judgment. Confidence levels reflect the strength and quantity of supporting evidence.

Observables and indicators of compromise can be found on the Synthient research Github.