Your Android TV Box Could Be a Botnet
▼ Summary
– Superbox devices offer access to 2,200+ streaming services for a one-time $400 fee but require intrusive software that uses the user’s network to relay traffic, often linked to cybercrime.
– The devices replace Google’s Play Store with an unofficial app store to enable free streaming, though the company claims it only sells hardware and doesn’t preinstall unauthorized apps.
– Security experts found Superbox devices connect to services like Tencent QQ and Grass IO, hijacking routers and including tools like Tcpdump for network manipulation and potential misuse.
– These devices are part of a broader issue with Android streaming boxes, including involvement in botnets like Badbox 2.0, which engage in ad fraud and account takeover attempts.
– Using Superbox for unauthorized streaming violates the DMCA, and the FBI warns that such devices may show signs like disabling Google Play Protect or downloading apps from suspicious marketplaces.
That Android TV box promising endless free entertainment might come with a hidden and dangerous price tag. Security researchers have uncovered that popular streaming devices like the Superbox secretly enlist users’ home networks into botnets, turning everyday consumers into unwitting participants in cybercrime operations. These seemingly affordable alternatives to subscription services mask intrusive software that hijacks internet connections for malicious activities.
Available at major retailers including BestBuy and Walmart, Superbox devices market themselves as cable replacement solutions with one-time payments around $400. They promise unlimited access to thousands of channels and streaming platforms without monthly fees. The company maintains it merely sells hardware while customers choose which applications to install, but the reality involves significant security compromises.
To access the promised content, users must first replace Google’s official Play Store with an unofficial marketplace called the “App Store” or “Blue TV Store.” This replacement occurs because Superbox devices don’t run Google-certified Android TV systems. Only after this modification do the specialized streaming applications become available for download outside Google’s regulated ecosystem.
Cybersecurity experts discovered these devices immediately connect to concerning services upon activation. Ashley, a senior solutions engineer at cyber intelligence firm Censys, examined multiple Superbox models and found they contacted servers belonging to Chinese messaging service Tencent QQ and a residential proxy network called Grass IO.
Grass describes itself as a decentralized network where users can earn rewards by sharing unused internet bandwidth with AI companies and researchers. The service claims legitimate business purposes like market research and web scraping for AI training. However, security professionals note these same networks frequently facilitate advertising fraud and credential stuffing attacks.
The founder of Grass, Andrej Radonjic, stated his company has no affiliation with Superbox and described the devices as distributing “an unethical proxy network” that attempts to exploit legitimate services. He emphasized that Grass operates as an opt-in system, unlike the forced participation implemented through devices like Superbox.
Further investigation revealed these streaming boxes contain powerful network analysis tools including Tcpdump and Netcat, far beyond what typical entertainment devices require. Ashley reported the equipment performed DNS hijacking, ARP poisoning, and attempted to bypass network controls. “I have root on all of them now, and they actually have a folder called ‘secondstage,'” she noted, indicating sophisticated hidden functionality.
Superbox represents just one brand in a broader category of problematic Android streaming devices. In 2025, Google filed a lawsuit against what it termed the “BadBox 2.0 Enterprise,” describing a botnet encompassing over ten million compromised Android streaming devices engaged in widespread advertising fraud. The FBI subsequently issued warnings about criminals gaining unauthorized access to home networks through pre-compromised devices or malicious applications downloaded during setup.
Riley Kilmer of Spur, a company tracking residential proxy networks, connected BadBox 2.0 to IPidea, currently the world’s largest residential proxy provider. IPidea appears to be a rebrand of 911S5 Proxy, a Chinese service sanctioned by the U.S. Treasury Department for operating a botnet that helped criminals steal billions of dollars. Analysis shows most traffic through these proxies relates to advertising fraud or account takeover attempts.
For consumers considering these devices, several red flags indicate potential compromise: suspicious app marketplaces, requirements to disable Google Play Protect, devices advertised as “unlocked” or offering free content, unrecognizable brands, lack of Play Protect certification, and unexplained internet traffic. Using such equipment for unauthorized streaming also violates the Digital Millennium Copyright Act, potentially resulting in legal action, fines, or service suspension from internet providers.
While the appeal of avoiding multiple streaming subscriptions is understandable, the hidden costs of these devices extend far beyond their purchase price. Consumers essentially trade their network security and personal privacy for questionable entertainment access, becoming involuntary participants in global cybercrime operations that benefit from their internet resources.
(Source: Krebson Security)
