TL;DR: On June 18, 2026, Brian Krebs reported that the Vo1d / Popa Android TV box botnet has compromised millions of consumer devices for the last four years and is now linked to NetNut, a "residential proxy" provider operated by the publicly traded Israeli firm Alarum Technologies. Per security firm Qurium, the botnet's traffic has been used for ad fraud, account takeover, and bulk data scraping - and per Rescana's research, the same campaigns tunnel through home networks to infect other Android devices behind the firewall. For NC SMBs - especially small offices with a break-room smart TV, shop-floor digital signage, or remote employees on home networks - the practical question becomes: is one of those cheap TV boxes now relaying traffic out of your network, and what else is on the same Wi-Fi as your point of sale, your finance laptop, or your ERP terminal?
Key takeaway: The risk is not that someone broke in to attack you. The risk is that consumer IoT inside your network is renting itself out to strangers, and you do not get to choose who those strangers are or what they do with your IP address.
Worried about untrusted IoT and BYOD devices on the same network as your point-of-sale or ERP terminal? Preferred Data Corporation runs managed network services for NC SMBs, including IoT segmentation, guest Wi-Fi design, and outbound traffic analytics. Call (336) 886-3282 or request a network segmentation review.
What is Vo1d / Popa and how big is the botnet?
Vo1d is a large-scale malware campaign first observed in 2022 targeting unofficial Android-based TV boxes - the $30 streaming boxes sold on marketplaces under generic brand names. Per KrebsOnSecurity's June 18, 2026 writeup and Security Boulevard's coverage:
- Popa is a plugin component associated with the Vo1d family.
- Millions of devices have been infected over a 4-year span.
- Devices have been used to relay internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts.
- In May 2026, security firm Qurium identified scraping activity scattered across more than 1.4 million internet addresses sourced from the residential proxy network.
- Research firms have linked the activity to NetNut, a residential-proxy product of the publicly traded Israeli firm Alarum Technologies Ltd.
Per the Rescana analysis, the related Kimwolf and Vo1d families also propagate to other Android-based devices inside the home or office LAN - phones, tablets, smart-TV dongles - meaning a single compromised TV box can become a foothold against the entire local subnet.
Why does this matter for an NC SMB - the malware targets consumer TV boxes?
Because consumer IoT does not respect business/home boundaries anymore. Most NC SMBs have at least one of these on a network where it shouldn't be:
| Device Type | Typical NC SMB Location | Why It Matters |
|---|---|---|
| Generic Android TV box | Break room, lobby, waiting area | Active C2 destination if compromised |
| Digital signage stick | Storefront, sales floor, factory entrance | Often on the main business network, often unpatched |
| Smart TV (built-in Android) | Conference rooms | Same Vo1d-class exposure as TV boxes |
| Plant-floor tablet / "kiosk" Android | Manufacturer shop floor | Often on the OT network with no segmentation |
| Employee-brought Fire TV / Android stick (remote workers) | Home office | Shares Wi-Fi with the company laptop |
Per the 2026 ShortPaper on BYOIT in SMBs, a typical 25-person SMB has 3-7 unmanaged IoT devices on the same network segment as a managed business asset. Each one is a potential entry into a residential proxy network.
What is the actual risk if my network ends up renting itself out to a residential proxy?
Three concrete business risks, none of them theoretical. Per Krebs and Qurium's research summary:
- IP reputation damage - Your business IP starts originating ad fraud, login-stuffing, or scraping traffic. Outcome: your IP ends up on blocklists, customer emails bounce, your e-commerce site triggers captchas for legitimate buyers.
- Cyber-insurance scrutiny - Carriers are increasingly explicit that residential-proxy participation is a control failure, not a force majeure. A claim from an unrelated event can be subject to clawback if the carrier finds you were running infected IoT.
- Lateral movement risk - The Vo1d/Kimwolf family is documented to infect other Android devices on the same LAN. A compromised break-room TV becomes a launchpad for the iPhone in your CFO's pocket, which becomes a phishing/MFA-fatigue attack the CFO does not see coming.
Per Verizon's 2026 DBIR, third-party involvement is now a factor in 48% of breaches - the residential proxy is the most under-reported third party in your network.
How does the typical SMB network end up exposed in the first place?
Three failure modes account for most of the risk PDC sees in NC SMBs:
- Flat network design - The default off-the-shelf small-business router/switch deployment puts everything on one VLAN. A TV box in the lobby is on the same subnet as the finance workstation.
- No outbound monitoring - Most SMB firewalls are configured to block inbound traffic and allow all outbound. Vo1d's QUIC/SOCKS outbound traffic looks like normal video streaming on egress.
- No IoT inventory - The SMB does not maintain a list of every device with a MAC address on its network. Per Microsoft's RSAC 2026 enterprise guidance, shadow IoT remains one of the top three enterprise blind spots in 2026.
Quotable definition: A residential proxy botnet is a network of compromised home/business devices that rent themselves out as exit nodes for commercial proxy services - making attacker traffic appear to originate from your IP address. The Vo1d / Popa family is the largest documented Android TV box implementation of this model.
What is the right 30-day rollout for an NC SMB to close this exposure?
A four-week sprint PDC runs as part of the managed network and managed IT services:
| Week | Action | Outcome |
|---|---|---|
| 1 | Inventory every device on the business network (MAC address, OS/firmware, vendor, business owner) | First-time visibility into shadow IoT |
| 2 | Segment the network into Business / IoT / Guest VLANs with firewall rules between each; isolate Android TV boxes and signage onto IoT VLAN with no LAN access | Compromised TV box loses lateral path to business assets |
| 3 | Replace generic Android TV boxes used for business purposes (signage, conference rooms) with managed alternatives (Apple TV with MDM, Brightsign, Chrome OS for signage) | Removes the affected device class from business network entirely |
| 4 | Deploy outbound traffic analytics (managed firewall + DNS filtering) and alert on bulk SOCKS / QUIC tunnel patterns; document an IoT acquisition policy | Future shadow IoT caught at procurement, not at compromise |
Key takeaway: A 25-person NC SMB cannot inspect every encrypted outbound flow, but it can put consumer IoT on a separate VLAN and replace the worst offenders with managed devices. That single step eliminates most of the Vo1d/Popa exposure in a typical small office.
Should NC SMBs just refuse to allow any consumer device on the network?
No - the realistic 2026 SMB has employees who bring phones, tablets, and the occasional Roku for a remote work-from-home setup. The correct posture is segmentation, not abstinence:
- Guest Wi-Fi for personal devices - Wi-Fi-Protected Access 3 (WPA3) with a separate SSID and no route to the business LAN.
- IoT VLAN for business IoT - Cameras, badge readers, signage, conference room AV on a dedicated VLAN with internet-only egress (no east-west traffic to business systems).
- Business VLAN for staff workstations and servers - With outbound DNS filtering and EDR on every endpoint.
- OT VLAN for plant-floor systems (manufacturers only) - With strict allowlists and no internet egress except through a managed jump host.
Per Cybersecurity Dive's 2026 SMB network design coverage, this is now the minimum baseline for any SMB that handles regulated data or processes customer payments.
How does Preferred Data Corporation help NC SMBs close shadow IoT exposure?
PDC supports NC small businesses, manufacturers, and distributors with the three layers required to remove the Vo1d/Popa attack class:
- Managed network services with managed firewall, VLAN design, IoT segmentation, and outbound traffic analytics tuned to detect SOCKS/QUIC tunneling and bulk scraping behavior.
- Managed IT services with device inventory, asset lifecycle management, and procurement guidance so that the next signage refresh does not bring three more unpatched Android boxes onto the business network.
- Managed cybersecurity with DNS-layer protection, EDR coverage across managed endpoints, and IP-reputation monitoring so that your business address does not appear on a blocklist before you find out from a customer.
PDC has served NC small businesses, manufacturers, and distributors for over 37 years with on-site coverage within 200 miles of High Point. The combination of local NC presence, 20+ year average client retention, and modern network segmentation tooling is what gets an IoT-safe network deployed and verified in 30 days, not 30 weeks.
Want to know what is actually on your network right now? Call (336) 886-3282 or request a network segmentation review.
Frequently Asked Questions
What is Vo1d / Popa in one sentence?
Vo1d / Popa is a multi-year malware campaign that turned millions of consumer Android TV boxes into a global residential-proxy botnet, used for ad fraud, account takeovers, and data scraping - and recently linked by KrebsOnSecurity to NetNut, a commercial proxy product of the publicly traded firm Alarum Technologies.
How would I know if my SMB's TV box is part of this?
The honest answer is "you would not, without instrumentation." Per Qurium's research, Vo1d-class devices look and behave normally to the user. Detection signals require outbound traffic analytics (SOCKS/QUIC tunnel patterns), DNS analytics (unusual destinations), or IP reputation monitoring. PDC's managed network service includes all three.
What if I just unplug the TV box?
Removing the affected device from the network closes the immediate exposure. But unless you also segment the network and replace the device with a managed alternative (or remove the use case entirely), the next consumer device that comes in - signage refresh, smart TV upgrade, employee bringing a Roku - re-creates the risk. The durable fix is segmentation plus inventory.
Does this affect Apple TV, Roku, or Chromecast?
The Vo1d / Popa family specifically targets unofficial Android-based TV boxes, per KrebsOnSecurity. Apple TV, current Roku, and current Chromecast devices are not part of this specific campaign. That said, the broader IoT segmentation rationale still applies - even uncompromised consumer devices should not share a network segment with business systems.
How much does network segmentation cost a 25-person NC SMB?
For a 25-person SMB office, a one-time managed firewall + VLAN design typically runs $3K-$8K including hardware refresh, with ongoing managed network services at $30-$75 per user per month depending on tier. PDC bundles network management inside the managed IT services for predictable per-seat pricing.
Related Resources
- Network Infrastructure Services for NC Businesses - Managed firewall, VLAN design, IoT segmentation
- Managed IT Services for NC Businesses - Device inventory, asset lifecycle, procurement guidance
- Managed Cybersecurity Services for NC Businesses - DNS filtering, EDR, IP reputation monitoring
- Manufacturing IT Services for NC Manufacturers - Plant-floor segmentation guidance
- Verizon DBIR 2026: Third-Party Breaches 48% Vendor Risk SMB - Third-party / supply chain risk data
- Contact Preferred Data Corporation - Schedule a network segmentation review