Security researchers have uncovered a botnet called “Popa” that is quietly running on millions of inexpensive, off-brand Android TV streaming boxes — the kind you might find for $20–$40 on Amazon or discount websites. These devices look and work like normal streaming boxes, but in the background they are secretly connected to a network linked to a publicly-traded Israeli tech company. That network uses your home internet connection to route other people’s traffic without your permission.
The practical effect on you is slower internet speeds, especially when you’re watching shows. Your streaming box may appear to be just playing video, while silently doing hidden work on behalf of strangers. Researchers at Krebs on Security identified the company behind Popa and confirmed it has been profiting from this hidden network for years. The best fix is simple: stop using off-brand boxes altogether and replace them with a device from a recognized brand.
How to check if you’re affected
Affected products include generic, unbranded Android TV streaming boxes — especially cheap ones sold without a well-known brand name on the box. If you bought a streaming box for under $40 from an unfamiliar seller, it may be one of these devices.
To check: look at the box itself for a brand name. Recognized brands include Roku, Amazon Fire TV, Apple TV, Google Chromecast, and NVIDIA Shield. If your box has no clear brand name, or one you cannot find with a quick web search, treat it as potentially compromised. Unplug it from your router, and replace it with a trusted device.
If your home internet has been noticeably slower lately and you own an off-brand streaming box, the box is a likely culprit. Running a speed test with and without the box plugged in can help confirm.