TL;DR
Security researchers examining Superbox Android TV-style streaming devices found software that replaces Google Play with an unofficial app store and appears to enlist devices to relay other peoples' internet traffic. The boxes contact third-party services including a residential proxy network (Grass) and Tencent QQ, and include network tools and behaviors experts say resemble proxy- or botnet-style activity.
What happened
Researchers from cyber intelligence firm Censys analyzed several Superbox streaming units sold through large retailers and found the devices perform more than simple media playback. To enable thousands of channels, Superbox systems remove the official Google Play store and substitute an unofficial App Store (sometimes called the Blue TV Store), which makes specialized streaming apps available. Those third-party apps, security researchers say, also enroll the device into a distributed residential proxy network that can relay other parties' internet traffic. The lab analysis showed the boxes contact services including Tencent QQ and a residential proxy service known as Grass (getgrass[.]io). The devices were observed to contain administrative and network tools such as Netcat and Tcpdump, a folder labelled "secondstage," and activity consistent with DNS hijacking and ARP poisoning, according to a Censys engineer who reviewed the units. Superbox's parent company did not respond to inquiries; the company asserts it only sells hardware and that users choose what software to install.
Why it matters
- Devices sold as consumer streaming hardware may be used to route other users’ internet traffic, exposing owners to misuse of their bandwidth and IP addresses.
- Residential proxy networks can be abused for fraud, account takeover attempts, and web scraping that evades conventional blocks and attribution.
- Major e-commerce platforms are hosting these devices via third-party sellers, making potentially risky hardware widely available to nontechnical buyers.
- Consumers may not realize that installing non-official app stores and apps can change a device’s network behavior and security posture.
Key facts
- Superbox devices advertise access to more than 2,200 pay-per-view and streaming services for a one-time fee of about $400.
- To run apps for those channels, the devices remove Google’s certified Play Store and replace it with an unofficial App Store or "Blue TV Store."
- Censys researchers observed Superbox units contacting Tencent QQ and a residential proxy service referred to as Grass (getgrass[.]io).
- The devices contained network analysis and remote-access tools such as Netcat and Tcpdump, and a folder labelled "secondstage," per the lab analysis.
- Researchers reported behavior including DNS hijacking and ARP poisoning that disrupted local networks so the device could assume IP addresses, according to a Censys engineer.
- Grass’s founder told KrebsOnSecurity that Grass is intended as an opt-in bandwidth-sharing network and denied affiliation with Superbox; he said Grass has mechanisms to block abusers.
- Records captured via the Wayback Machine show Grass’s parent organization has appeared under several different company names over time.
- Superbox’s parent company lists a UPS-store address in Fountain Valley, California; the company did not respond to multiple inquiries.
- Superbox units are available from a range of retailers through third-party sellers, including BestBuy, Walmart, Newegg, Amazon and eBay; Newegg lists dozens of models.
- According to the reporting, Superbox pays influencers up to 50% of the sale value to promote the devices.
What to watch next
- Whether major retailers or e-commerce platforms remove or relabel Superbox listings or restrict third-party sellers: not confirmed in the source.
- Any public responses from Superbox’s parent company to the security findings; the company did not respond to inquiries for this story.
- Follow-up technical analyses or advisories from security firms about other Android streaming devices exhibiting similar proxy or network-manipulating behavior.
Quick glossary
- Android TV box: A consumer device that runs a version of Android optimized for televisions and enables streaming apps, media playback, and other TV-centric functions.
- Residential proxy: A service that routes internet requests through IP addresses assigned to household internet connections, often used to mask the origin of web traffic.
- ARP poisoning: A network attack technique that sends false Address Resolution Protocol messages to associate an attacker-controlled MAC address with another device’s IP, enabling traffic interception.
- DNS hijacking: The unauthorized modification of DNS settings or responses so that users are directed to different IP addresses than intended.
- Netcat / Tcpdump: Command-line network utilities: Netcat can open TCP/UDP connections for reading/writing network data; Tcpdump captures and displays packet-level network traffic for analysis.
Reader FAQ
Are Superbox devices illegal to buy or use?
The reporting states there is nothing inherently illegal about selling or using the hardware; however, installing and using apps that bypass paywalls or provide unauthorized content could violate copyright law.
Do these boxes make my home network part of a botnet?
Security researchers say the apps associated with some Superbox units enlist devices to relay other users' internet traffic and perform network-manipulating actions, behavior experts compare to residential proxy or botnet activity.
Is Grass officially affiliated with Superbox?
The Grass founder told the reporter he had not heard of Superbox and denied an affiliation; he described Grass as an opt-in bandwidth-sharing service and said it works to block abusers.
Can I remove the software that enables proxying or network manipulation?
Not confirmed in the source.
November 24, 2025 58 Comments On the surface, the Superbox media streaming devices for sale at retailers like BestBuy and Walmart may seem like a steal: They offer unlimited access…
Sources
- Is Your Android TV Streaming Box Part of a Botnet?
- Home Internet Connected Devices Facilitate Criminal Activity
- Unmasking Vo1d: Inside Darktrace's Botnet Detection
- Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches …
Related posts
- Meet Rey, the Teen Admin Behind Scattered LAPSUS$ Hunters Ransom Group
- SMS Phishers Shift Tactics: Points, Tax Refunds and Fake Shops
- How a $25M Essay-Mill Network Connects to Russia’s Synergy University