Superbox Set-Top Box Turns Home Networks Into Covert Proxy Botnet Nodes
Superbox drew consumer attention with promises of access to more than 2,200 television channels and streaming services without a subscription, all for a one-time payment of roughly $400. Yet an examination of the device revealed that such functionality is achieved through bundled applications that turn the home network into a proxy node and open the door to abuse. Analysts at Censys reported that these set-top boxes begin communicating with external servers immediately after power-on, and the installed software effectively integrates the device into a distributed network frequently used for advertising-traffic schemes and credential-stuffing operations.
Interest in Superbox has surged because buyers hope to obtain premium content without ongoing fees, even though the manufacturer stresses on its website that it sells only the hardware. Official Android TV applications do not function on the device, and to access the advertised channels users must remove Google Play and install a third-party store, Blue TV Store. Only then do they gain access to numerous apps that stream premium content for free — and these are precisely the apps that seize control of the device’s networking functions, redirecting portions of traffic through the Grass IO network.
Grass presents itself as a platform that redistributes user internet traffic for market-research purposes and AI training. Its founder stated that the company has no connection to Superbox and that the devices appear to be attempting to connect to the service without Grass’s knowledge by using questionable SDKs. At the same time, Grass has changed its corporate registration several times in two years — a fact some industry observers attribute to phases of restructuring.
According to Censys, Superbox does far more than relay traffic. The device contains tools such as Netcat and Tcpdump, traces of ARP spoofing, attempts at DNS interception, and a folder labeled secondstage. Researchers found that the unit communicates with a QQ server and other services not typically associated with household media players. These devices are sold everywhere — on Amazon, Walmart, Newegg, and eBay — often under third-party listings and sometimes under the vague label modem and router combo.
The Superbox scheme fits into a broader problem. Similar “unlocked” Android set-top boxes appear in Google’s lawsuit against the Badbox 2.0 group, which involves a botnet of more than 10 million devices. The FBI has warned that such boxes may be infected even before purchase or during installation of required apps, after which they become nodes in proxy networks used for advertising fraud and account-takeover attacks. Researchers connect this activity to IPidea, a proxy network believed to be the successor to 911S5 Proxy. According to Synthient, IPidea’s primary traffic flows include platforms associated with fraud and large-scale password-guessing campaigns.
Experts note that the mass migration of television content to streaming has fueled demand for such devices, as consumers face rising subscription costs. Yet a Superbox buyer, even after paying a hefty price, effectively hands over a portion of their internet bandwidth to external companies that use their IP address in opaque schemes. Many owners remain unaware that their network has become part of a proxy infrastructure.
The legal risks remain substantial. The manufacturer shifts responsibility onto the buyer, claiming the device merely allows the installation of applications. However, in the United States, unauthorized access to protected content violates the DMCA and can result in fines, ISP warnings, and service restrictions.
The FBI advises watching for several signs that may indicate a malicious device: the appearance of third-party app stores, prompts to disable Google Play Protect, lack of a Play Protect certificate, an unfamiliar brand, spikes in network activity, or marketing promises of free access to paid services. The Electronic Frontier Foundation provides a detailed breakdown of each of these red flags on its website, explaining why such symptoms should prompt immediate caution.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
