Google and the FBI Target Massive Botnet That Quietly Used Home Devices to Mask Cybercrime
Millions of low-cost, off-brand Android devices were hijacked to help criminals hide online.
- The NetNut botnet infected millions of low-cost, off-brand Android devices globally, using them as residential proxies to hide cybercriminal traffic.
- Google's Threat Analysis Group and the FBI jointly executed the takedown, seizing command-and-control servers and domain infrastructure.
- NetNut operated as a 'proxy-as-a-service' botnet, selling access to residential IP addresses for credential stuffing, ad fraud, and phishing campaigns.
- The botnet exploited security gaps in cheap Android devices—often lacking firmware updates or secure boot—making them easy to compromise remotely.
- This operation is one of the largest residential proxy botnet takedowns in recent years, highlighting the growing government-industry collaboration against IoT-based cyber threats.
Residential proxy botnets like NetNut operate by infecting everyday smart devices—such as Android TV boxes, smartphones, and IoT gadgets—turning them into gateways for criminals. The hijacked devices route malicious traffic through legitimate home IP addresses, making it appear as if the activity originates from a real person. This technique is widely used to bypass geo-restrictions, evade detection, and launch attacks like credential stuffing, ad fraud, and phishing campaigns. NetNut specifically targeted low-cost Android devices with outdated or poorly secured firmware, often sold through third-party marketplaces.
The precise number of infected devices has not been disclosed, but sources indicate it runs into the millions, spanning multiple countries. The botnet's infrastructure included proxy relays and command-and-control servers that Google and the FBI collectively seized. No arrests have been publicly announced, but the operation involved court-authorized actions to disrupt the domain names and servers NetNut relied on. Google's involvement stems from its extensive threat intelligence network, which monitors malicious activity across its platforms. The company has previously collaborated with law enforcement on takedowns like that of the Glupteba botnet and cryptomining campaigns.
This takedown underscores a critical blind spot in IoT security: millions of cheap Android devices lack basic protections, such as regular security updates or secure boot processes. Manufacturers often prioritize low cost over security, leaving devices vulnerable to remote compromise. Once infected, botnets like NetNut can persist for years without users noticing any performance issues, as the devices continue to function normally while silently relaying criminal traffic. Google's Threat Analysis Group noted that NetNut was particularly sophisticated because it used a proxy-as-a-service model, selling access to the botnet's residential IPs to criminals for a fee.
The broader implications reach beyond this single botnet. Residential proxy services, both legitimate and malicious, are booming as cybercriminals seek to evade increasingly advanced detection systems. The takedown of NetNut sends a message that collaborative efforts between tech companies and law enforcement can disrupt even well-hidden criminal infrastructure. However, the pace of IoT adoption continues to outstrip security standards, meaning similar botnets will likely emerge unless manufacturers are held accountable for device safety.
Looking ahead, users should take proactive steps to secure their smart home devices: buy from reputable brands, disable unnecessary remote access, and apply firmware updates promptly. Regulators in the US and Europe are already considering mandatory IoT security labels, but until those become law, the responsibility largely falls on consumers. The NetNut takedown is a win for cybersecurity, but it also serves as a warning that the army of unsecured devices in our homes remains an inviting target for criminals.
Frequently Asked Questions
NetNut was a massive botnet that hijacked millions of low-cost Android devices to create a residential proxy network, masking criminal online activity.
It infected off-brand Android devices through vulnerabilities in their firmware, then used them as proxies to route criminal traffic, making it appear legitimate.
Google's Threat Analysis Group collaborated with the FBI to dismantle the botnet's infrastructure.
Millions of low-cost, off-brand Android devices worldwide were infected.
Users should keep devices updated, avoid off-brand IoT products with poor security, and use strong passwords.
It highlights the growing threat of residential proxy botnets and the importance of IoT security collaboration between tech companies and law enforcement.
Topics
Original source
www.cnet.com
Discussion
Join the discussion
Sign in to post a comment or reply.
No comments yet. Be the first to share your thoughts!