The FBI and Google have disrupted a massive cyber operation that turned two million smart TVs and streaming boxes into a hidden proxy network. The botnet, known as Popa, relied on a malicious software development kit embedded in low-cost Android-based devices. It also used unofficial apps such as SmartTube to infect hardware without users' knowledge. That setup allowed attackers to route illicit traffic through the compromised devices, anonymizing their activities.
How the Botnet Operated
The infection chain began with a compromised software development kit that manufacturers embedded in low-cost Android devices. This SDK enabled remote control of the TVs and streaming boxes after they connected to the internet. In addition, apps like SmartTube distributed the malware to devices that installed them from unofficial sources. Once active, the botnet operators could route web traffic through these devices, turning each one into a relay point for malicious activity.
The Takedown Operation
The FBI and Google collaborated to identify and dismantle the command infrastructure behind Popa. Law enforcement seized servers and domain names that controlled the botnet, effectively cutting off its ability to communicate with infected devices. Google contributed threat intelligence and technical assistance to map the botnet's scope. The operation removed millions of devices from the botnet's control, though some may remain infected if users do not update or replace them.
Why This Matters
This takedown highlights the expanding attack surface of consumer electronics. Smart TVs and streaming boxes often receive limited security updates, making them prime targets for botnet operators. As the number of connected devices grows, so does the potential for large-scale proxy networks that operate outside user awareness. For consumers, the incident reinforces the importance of buying devices from reputable manufacturers and avoiding third-party app stores. For law enforcement and tech companies, it demonstrates the need for continuous collaboration to disrupt cybercriminal infrastructure before it can cause broader harm.



