Popa: From Sourcing to Distribution
Essential information
- Published
- 18/06/2026 21:31
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- android consent bypass hopanet loopop moneytiser netnut neupop popa proxyware residential proxy sdk
- Related entities
- 200 indicators, 200 observables, 8 techniques (mitre), 5 malware
Description
An Android proxyware SDK named Popa enrolls consumer devices including phones, tablets, and streaming boxes into a commercial residential proxy network. Operating since at least 2020, Popa and its variants (Loopop, Neupop, and Moneytiser) are distributed inside consumer streaming, IPTV, and utility applications. The SDK begins relaying third-party traffic at host-app launch without displaying informed-consent prompts in analyzed samples. Multiple variants communicate directly with NetNut SDK endpoints, sharing operational infrastructure and telemetry. Controlled testing showed traffic from Popa-enrolled devices egressing through NetNut's commercial gateway. The SDK uses encrypted Google Drive files to resolve relay servers in later versions. Analysis of over 20 publishers revealed significant links to piracy-related applications, with none observed requesting user consent despite later builds including this capability.