Is Your Android TV Streaming Field A part of a Botnet? – Krebs on Safety

On the floor, the Superbox media streaming units on the market at retailers like BestBuy and Walmart might appear to be a steal: They provide limitless entry to greater than 2,200 pay-per-view and streaming companies like Netflix, ESPN and Hulu, all for a one-time payment of round $400. However safety consultants warn these TV packing containers require intrusive software program that forces the person’s community to relay Web visitors for others, visitors that’s typically tied to cybercrime exercise reminiscent of promoting fraud and account takeovers.

Superbox media streaming packing containers on the market on Walmart.com.

Superbox payments itself as an reasonably priced manner for households to stream all the tv and film content material they may presumably need, with out the trouble of month-to-month subscription charges — for a one-time cost of practically $400.

“Bored with complicated cable payments and hidden charges?,” Superbox’s web site asks in a latest weblog put up titled, “Low-cost Cable TV for Low Revenue: Watch TV, No Month-to-month Payments.”

“Actual low-cost cable TV for low earnings options does exist,” the weblog continues. “This information breaks down the most effective options to cease overpaying, from free over-the-air choices to one-time buy units that get rid of month-to-month payments.”

Superbox claims that watching a stream of flicks, TV exhibits, and sporting occasions gained’t violate U.S. copyright regulation.

“SuperBox is rather like every other Android TV field in the marketplace, we cannot management what software program prospects will use,” the corporate’s web site maintains. “And also you gained’t encounter a regulation challenge until importing, downloading, or broadcasting content material to a big group.”

A weblog put up from the Superbox web site.

There may be nothing unlawful concerning the sale or use of the Superbox itself, which can be utilized strictly as a strategy to stream content material at suppliers the place customers have already got a paid subscription. However that isn’t why individuals are shelling out $400 for these machines. The one strategy to watch these 2,200+ channels totally free with a Superbox is to put in a number of apps made for the system that allow them to stream this content material.

Superbox’s homepage features a outstanding message stating the corporate does “not promote entry to or preinstall any apps that bypass paywalls or present entry to unauthorized content material.” The corporate explains that they merely present the {hardware}, whereas prospects select which apps to put in.

“We solely promote the {hardware} system,” the discover states. “Prospects should use official apps and licensed companies; unauthorized use might violate copyright regulation.”

Superbox is technically appropriate right here, apart from possibly the half about how prospects should use official apps and licensed companies: Earlier than the Superbox can stream these 1000’s of channels, customers should configure the system to replace itself, and step one entails ripping out Google’s official Play retailer and changing it with one thing known as the “App Retailer” or “Blue TV Retailer.”

Superbox does this as a result of the system doesn’t use the official Google-certified Android TV system, and its apps is not going to load in any other case. Solely after the Google Play retailer has been supplanted by this unofficial App Retailer do the varied film and video streaming apps which can be constructed particularly for the Superbox seem out there for obtain (once more, exterior of Google’s app ecosystem).

Consultants say whereas these Android streaming packing containers usually do what they promote — enabling consumers to stream video content material that will usually require a paid subscription — the apps that allow the streaming additionally ensnare the person’s Web connection in a distributed residential proxy community that makes use of the units to relay visitors from others.

Ashley is a senior options engineer at Censys, a cyber intelligence firm that indexes Web-connected units, companies and hosts. Ashley requested that solely her first identify be used on this story.

In a latest video interview, Ashley confirmed off a number of Superbox fashions that Censys was finding out within the malware lab — together with one bought off the shelf at BestBuy.

“I’m certain lots of people are considering, ‘Hey, how unhealthy may it’s if it’s on the market on the huge field shops?’” she stated. “However the extra I appeared, issues bought weirder and weirder.”

Ashley stated she discovered the Superbox units instantly contacted a server on the Chinese language on the spot messaging service Tencent QQ, in addition to a residential proxy service known as Grass IO.

GET GRASSED

Also referred to as getgrass[.]io, Grass says it’s “a decentralized community that enables customers to earn rewards by sharing their unused Web bandwidth with AI labs and different corporations.”

“Patrons search unused web bandwidth to entry a extra various vary of IP addresses, which permits them to see sure web sites from a retail perspective,” the Grass web site explains. “By using your unused web bandwidth, they will conduct market analysis, or carry out duties like internet scraping to coach AI.” 

Reached through Twitter/X, Grass founder Andrej Radonjic informed KrebsOnSecurity he’d by no means heard of a Superbox, and that Grass has no affiliation with the system maker.

“It appears like these packing containers are distributing an unethical proxy community which individuals are utilizing to attempt to benefit from Grass,” Radonjic stated. “The purpose of grass is to be an opt-in community. You obtain the grass app to monetize your unused bandwidth. There are tons of sketchy SDKs on the market that hijack individuals’s bandwidth to assist webscraping corporations.”

Radonjic stated Grass has applied “a sturdy system to establish community abusers,” and that if it discovers anybody making an attempt to misuse or circumvent its phrases of service, the corporate takes steps to cease it and forestall these customers from incomes factors or rewards.

Superbox’s mum or dad firm, Tremendous Media Know-how Firm Ltd., lists its avenue tackle as a UPS retailer in Fountain Valley, Calif. The corporate didn’t reply to a number of inquiries.

Based on this teardown by behindmlm.com, a weblog that covers multi-level advertising and marketing (MLM) schemes, Grass’s compensation plan is constructed round “grass factors,” that are earned via the usage of the Grass app and thru app utilization by recruited associates. Associates can earn 5,000 grass factors for clocking 100 hours utilization of Grass’s app, however they have to progress via ten affiliate tiers or ranks earlier than they will redeem their grass factors (presumably for some kind of cryptocurrency). The tenth or “Titan” tier requires associates to build up a whopping 50 million grass factors, or recruit no less than 221 extra associates.

Radonjic stated Grass’s system has modified in latest months, and confirmed the corporate has a referral program the place customers can earn Grass Uptime Factors by contributing their very own bandwidth and/or by inviting different customers to take part.

“Customers will not be required to take part within the referral program to earn Grass Uptime Factors or to obtain Grass Tokens,” Radonjic stated. “Grass is within the means of phasing out the referral program and has launched an up to date Grass Factors mannequin.”

A evaluation of the Phrases and Situations web page for getgrass[.]io on the Wayback Machine exhibits Grass’s mum or dad firm has modified names no less than 5 instances in the middle of its two-year existence. Looking the Wayback Machine on getgrass[.]io exhibits that in June 2023 Grass was owned by an organization known as Wynd Community. By March 2024, the proprietor was listed as Decrease Tribeca Corp. within the Bahamas. By August 2024, Grass was managed by a Half House Labs Restricted, and in November 2024 the corporate was owned by Grass OpCo (BVI) Ltd. At the moment, the Grass web site says its mum or dad is simply Grass OpCo Ltd (no BVI within the identify).

Radonjic acknowledged that Grass has undergone “a handful of company clean-ups during the last couple of years,” however described them as administrative adjustments that had no operational affect. “These replicate regular early-stage restructuring because the challenge moved from preliminary growth…into the present construction below the Grass Basis,” he stated.

UNBOXING

Censys’s Ashley stated the telephone dwelling to China’s Tencent QQ on the spot messaging service was the primary purple flag with the Superbox units she examined. She additionally found the streaming packing containers included highly effective community evaluation and distant entry instruments, reminiscent of Tcpdump and Netcat.

“This factor DNS hijacked my router, did ARP poisoning to the purpose the place issues fall off the community to allow them to assume that IP, and tried to bypass controls,” she stated. “I’ve root on all of them now, and so they even have a folder known as ‘secondstage.’ These units even have Netcat and Tcpdump on them, and but they’re imagined to be streaming units.”

A fast on-line search exhibits varied Superbox fashions and lots of comparable Android streaming units on the market at a variety of high retail locations, together with Amazon, BestBuy, Newegg, and Walmart. Newegg.com, for instance, at present lists greater than three dozen Superbox fashions. In all instances, the merchandise are offered by third-party retailers on these platforms, however in lots of cases the success comes from the e-commerce platform itself.

“Newegg is fairly unhealthy now with these units,” Ashley stated. “Ebay is the funniest, as a result of they’ve Superbox in Spanish — the SuperCaja — which may be very fashionable.”

Superbox units on the market through Newegg.com.

Ashley stated Amazon not too long ago cracked down on Android streaming units branded as Superbox, however that these listings can nonetheless be discovered below the extra generic title “modem and router combo” (which can be barely nearer to the reality concerning the system’s habits).

Superbox doesn’t promote its merchandise within the standard sense. Slightly, it appears to depend on lesser-known influencers on locations like Youtube and TikTok to advertise the units. In the meantime, Ashley stated, Superbox pays these influencers 50 % of the worth of every system they promote.

“It’s bizarre to me as a result of influencer advertising and marketing normally caps compensation at 15 %, and it means they don’t care concerning the cash,” she stated. “That is about constructing their community.”

A TikTok influencer casually mentions and promotes Superbox whereas chatting along with her followers over a glass of wine.

BADBOX

As plentiful because the Superbox is on e-commerce websites, it is only one model in an ocean of no-name Android-based TV packing containers out there to shoppers. Whereas these units usually do present consumers with “free” streaming content material, additionally they have a tendency to incorporate factory-installed malware or require the set up of third-party apps that have interaction the person’s Web tackle in promoting fraud.

In July 2025, Google filed a “John Doe” lawsuit (PDF) in opposition to 25 unidentified defendants dubbed the “BadBox 2.0 Enterprise,” which Google described as a botnet of over ten million Android streaming units that engaged in promoting fraud. Google stated the BADBOX 2.0 botnet, along with compromising a number of kinds of units prior to buy, may also infect units by requiring the obtain of malicious apps from unofficial marketplaces.

A few of the unofficial Android units flagged by Google as a part of the Badbox 2.0 botnet are nonetheless extensively on the market at main e-commerce distributors. Picture: Google.

A number of of the Android streaming units flagged in Google’s lawsuit are nonetheless on the market on high U.S. retail websites. For instance, looking for the “X88Pro 10” and the “T95” Android streaming packing containers finds each proceed to be peddled by Amazon sellers.

Google’s lawsuit got here on the heels of a June 2025 advisory from the Federal Bureau of Investigation (FBI), which warned that cyber criminals had been gaining unauthorized entry to dwelling networks by both configuring the merchandise with malicious software program previous to the person’s buy, or infecting the system because it downloads required purposes that comprise backdoors, normally throughout the set-up course of.

“As soon as these compromised IoT units are related to dwelling networks, the contaminated units are vulnerable to turning into a part of the BADBOX 2.0 botnet and residential proxy companies recognized for use for malicious exercise,” the FBI stated.

The FBI stated BADBOX 2.0 was found after the unique BADBOX marketing campaign was disrupted in 2024. The unique BADBOX was recognized in 2023, and primarily consisted of Android working system units that had been compromised with backdoor malware prior to buy.

Riley Kilmer is founding father of Spur, an organization that tracks residential proxy networks. Kilmer stated Badbox 2.0 was used as a distribution platform for IPidea, a China-based entity that’s now the world’s largest residential proxy community.

Kilmer and others say IPidea is merely a rebrand of 911S5 Proxy, a China-based proxy supplier sanctioned last year by the U.S. Division of the Treasury for working a botnet that helped criminals steal billions of {dollars} from monetary establishments, bank card issuers, and federal lending packages (the U.S. Division of Justice additionally arrested the alleged proprietor of 911S5).

How are most IPidea prospects utilizing the proxy service? Based on the proxy detection service Synthient, six of the highest ten locations for IPidea proxies concerned visitors that has been linked to both advert fraud or credential stuffing (account takeover makes an attempt).

Kilmer stated corporations like Grass are most likely being truthful once they say that a few of their prospects are companies performing web scraping to train artificial intelligence efforts, as a result of quite a lot of content material scraping which finally advantages AI corporations is now leveraging these proxy networks to additional obfuscate their aggressive data-slurping exercise. By routing this unwelcome visitors via residential IP addresses, Kilmer stated, content material scraping companies could make it far trickier to filter out.

“Internet crawling and scraping has all the time been a factor, however AI made it like a commodity, information that needed to be collected,” Kilmer informed KrebsOnSecurity. “Everyone needed to monetize their very own information pots, and the way they monetize that’s completely different throughout the board.”

SOME FRIENDLY ADVICE

Merchandise like Superbox are drawing elevated curiosity from shoppers as extra fashionable community tv exhibits and sportscasts migrate to subscription streaming companies, and as individuals start to understand they’re spending as a lot or extra on streaming companies than they beforehand paid for cable or satellite tv for pc TV.

These streaming units from no-name expertise distributors are one other instance of the maxim, “If one thing is free, you’re the product,” which means the corporate is getting cash by promoting entry to and/or details about its customers and their information.

Superbox house owners would possibly counter, “Free? I paid $400 for that system!” However keep in mind: Simply since you paid lots for one thing doesn’t imply you might be performed paying for it, or that someway you’re the just one who may be worse off from the transaction.

It might be that many Superbox prospects don’t care if somebody makes use of their Web connection to tunnel visitors for advert fraud and account takeovers; for them, it beats paying for a number of streaming companies every month. My guess, nevertheless, is that fairly a couple of individuals who purchase (or are gifted) these merchandise have little understanding of the discount they’re making once they plug them into an Web router.

Superbox performs some critical linguistic gymnastics to assert its merchandise don’t violate copyright legal guidelines, and that its prospects alone are accountable for understanding and observing any native legal guidelines on the matter. Nonetheless, purchaser beware: Should you’re a resident of the US, it is best to know that utilizing these units for unauthorized streaming violates the Digital Millennium Copyright Act (DMCA), and may incur authorized motion, fines, and potential warnings and/or suspension of service by your Web service supplier.

Based on the FBI, there are a number of indicators to search for which will point out a streaming system you personal is malicious, together with:

-The presence of suspicious marketplaces the place apps are downloaded.
-Requiring Google Play Shield settings to be disabled.
-Generic TV streaming units marketed as unlocked or able to accessing free content material.
-IoT units marketed from unrecognizable manufacturers.
-Android units that aren’t Play Shield licensed.
-Unexplained or suspicious Web visitors.

This explainer from the Digital Frontier Basis delves a bit deeper into every of the potential signs listed above.