On the floor, the Superbox media streaming units on the market at retailers like BestBuy and Walmart might look like a steal: They provide limitless entry to greater than 2,200 pay-per-view and streaming companies like Netflix, ESPN and Hulu, all for a one-time price of round $400. However safety specialists warn these TV bins require intrusive software program that forces the consumer’s community to relay Web visitors for others, visitors that’s typically tied to cybercrime exercise reminiscent of promoting fraud and account takeovers.
Superbox media streaming bins on the market on Walmart.com.
Superbox payments itself as an reasonably priced method for households to stream all the tv and film content material they may presumably need, with out the effort of month-to-month subscription charges — for a one-time fee of almost $400.
“Uninterested in complicated cable payments and hidden charges?,” Superbox’s web site asks in a current weblog publish titled, “Low-cost Cable TV for Low Earnings: Watch TV, No Month-to-month Payments.”
“Actual low-cost cable TV for low earnings options does exist,” the weblog continues. “This information breaks down the most effective options to cease overpaying, from free over-the-air choices to one-time buy units that remove month-to-month payments.”
Superbox claims that watching a stream of flicks, TV reveals, and sporting occasions gained’t violate U.S. copyright regulation.
“SuperBox is rather like another Android TV field in the marketplace, we can’t management what software program clients will use,” the corporate’s web site maintains. “And also you gained’t encounter a regulation situation until importing, downloading, or broadcasting content material to a big group.”
A weblog publish from the Superbox web site.
There may be nothing unlawful in regards to the sale or use of the Superbox itself, which can be utilized strictly as a approach to stream content material at suppliers the place customers have already got a paid subscription. However that isn’t why individuals are shelling out $400 for these machines. The one approach to watch these 2,200+ channels totally free with a Superbox is to put in a number of apps made for the system that allow them to stream this content material.
Superbox’s homepage features a distinguished message stating the corporate does “not promote entry to or preinstall any apps that bypass paywalls or present entry to unauthorized content material.” The corporate explains that they merely present the {hardware}, whereas clients select which apps to put in.
“We solely promote the {hardware} system,” the discover states. “Prospects should use official apps and licensed companies; unauthorized use might violate copyright regulation.”
Superbox is technically right right here, aside from perhaps the half about how clients should use official apps and licensed companies: Earlier than the Superbox can stream these 1000’s of channels, customers should configure the system to replace itself, and step one entails ripping out Google’s official Play retailer and changing it with one thing known as the “App Retailer” or “Blue TV Retailer.”
Superbox does this as a result of the system doesn’t use the official Google-certified Android TV system, and its apps is not going to load in any other case. Solely after the Google Play retailer has been supplanted by this unofficial App Retailer do the assorted film and video streaming apps which can be constructed particularly for the Superbox seem out there for obtain (once more, exterior of Google’s app ecosystem).
Consultants say whereas these Android streaming bins typically do what they promote — enabling patrons to stream video content material that might usually require a paid subscription — the apps that allow the streaming additionally ensnare the consumer’s Web connection in a distributed residential proxy community that makes use of the units to relay visitors from others.
Ashley is a senior options engineer at Censys, a cyber intelligence firm that indexes Web-connected units, companies and hosts. Ashley requested that solely her first title be used on this story.
In a current video interview, Ashley confirmed off a number of Superbox fashions that the Censys analysis workforce was learning within the malware lab — together with one bought off the shelf at BestBuy.
“I’m positive lots of people are pondering, ‘Hey, how dangerous may or not it’s if it’s on the market on the large field shops?’” she stated. “However the extra I seemed, issues obtained weirder and weirder.”
Ashley stated she discovered the Superbox units instantly contacted a server on the Chinese language prompt messaging service Tencent QQ, in addition to a residential proxy service known as Grass IO.
GET GRASSED
Also called getgrass[.]io, Grass says it’s “a decentralized community that permits customers to earn rewards by sharing their unused Web bandwidth with AI labs and different corporations.”
“Patrons search unused web bandwidth to entry a extra various vary of IP addresses, which allows them to see sure web sites from a retail perspective,” the Grass web site explains. “By using your unused web bandwidth, they will conduct market analysis, or carry out duties like internet scraping to coach AI.” 
Reached by way of Twitter/X, Grass founder Andrej Radonjic informed KrebsOnSecurity he’d by no means heard of a Superbox, and that Grass has no affiliation with the system maker.
“It appears like these bins are distributing an unethical proxy community which individuals are utilizing to attempt to reap the benefits of Grass,” Radonjic stated. “The purpose of grass is to be an opt-in community. You obtain the grass app to monetize your unused bandwidth. There are tons of sketchy SDKs on the market that hijack folks’s bandwidth to assist webscraping corporations.”
Radonjic stated Grass has carried out “a strong system to determine community abusers,” and that if it discovers anybody making an attempt to misuse or circumvent its phrases of service, the corporate takes steps to cease it and stop these customers from incomes factors or rewards.
Superbox’s mother or father firm, Tremendous Media Expertise Firm Ltd., lists its road deal with as a UPS retailer in Fountain Valley, Calif. The corporate didn’t reply to a number of inquiries.
In accordance with this teardown by behindmlm.com, a weblog that covers multi-level advertising (MLM) schemes, Grass’s compensation plan is constructed round “grass factors,” that are earned via using the Grass app and thru app utilization by recruited associates. Associates can earn 5,000 grass factors for clocking 100 hours utilization of Grass’s app, however they have to progress via ten affiliate tiers or ranks earlier than they will redeem their grass factors (presumably for some sort of cryptocurrency). The tenth or “Titan” tier requires associates to build up a whopping 50 million grass factors, or recruit not less than 221 extra associates.
Radonjic stated Grass’s system has modified in current months, and confirmed the corporate has a referral program the place customers can earn Grass Uptime Factors by contributing their very own bandwidth and/or by inviting different customers to take part.
“Customers will not be required to take part within the referral program to earn Grass Uptime Factors or to obtain Grass Tokens,” Radonjic stated. “Grass is within the technique of phasing out the referral program and has launched an up to date Grass Factors mannequin.”
A overview of the Phrases and Circumstances web page for getgrass[.]io on the Wayback Machine reveals Grass’s mother or father firm has modified names not less than 5 instances in the midst of its two-year existence. Looking out the Wayback Machine on getgrass[.]io reveals that in June 2023 Grass was owned by an organization known as Wynd Community. By March 2024, the proprietor was listed as Decrease Tribeca Corp. within the Bahamas. By August 2024, Grass was managed by a Half House Labs Restricted, and in November 2024 the corporate was owned by Grass OpCo (BVI) Ltd. At the moment, the Grass web site says its mother or father is simply Grass OpCo Ltd (no BVI within the title).
Radonjic acknowledged that Grass has undergone “a handful of company clean-ups during the last couple of years,” however described them as administrative adjustments that had no operational affect. “These replicate regular early-stage restructuring because the mission moved from preliminary growth…into the present construction below the Grass Basis,” he stated.
UNBOXING
Censys’s Ashley stated the cellphone residence to China’s Tencent QQ prompt messaging service was the primary purple flag with the Superbox units she examined. She additionally found the streaming bins included highly effective community evaluation and distant entry instruments, reminiscent of Tcpdump and Netcat.
“This factor DNS hijacked my router, did ARP poisoning to the purpose the place issues fall off the community to allow them to assume that IP, and tried to bypass controls,” she stated. “I’ve root on all of them now, they usually even have a folder known as ‘secondstage.’ These units even have Netcat and Tcpdump on them, and but they’re speculated to be streaming units.”
A fast on-line search reveals numerous Superbox fashions and plenty of related Android streaming units on the market at a variety of prime retail locations, together with Amazon, BestBuy, Newegg, and Walmart. Newegg.com, for instance, at present lists greater than three dozen Superbox fashions. In all instances, the merchandise are bought by third-party retailers on these platforms, however in lots of cases the success comes from the e-commerce platform itself.
“Newegg is fairly dangerous now with these units,” Ashley stated. “Ebay is the funniest, as a result of they’ve Superbox in Spanish — the SuperCaja — which could be very fashionable.”
Superbox units on the market by way of Newegg.com.
Ashley stated Amazon just lately cracked down on Android streaming units branded as Superbox, however that these listings can nonetheless be discovered below the extra generic title “modem and router combo” (which can be barely nearer to the reality in regards to the system’s habits).
Superbox doesn’t promote its merchandise within the standard sense. Fairly, it appears to depend on lesser-known influencers on locations like Youtube and TikTok to advertise the units. In the meantime, Ashley stated, Superbox pays these influencers 50 % of the worth of every system they promote.
“It’s bizarre to me as a result of influencer advertising often caps compensation at 15 %, and it means they don’t care in regards to the cash,” she stated. “That is about constructing their community.”
A TikTok influencer casually mentions and promotes Superbox whereas chatting together with her followers over a glass of wine.
BADBOX
As plentiful because the Superbox is on e-commerce websites, it is only one model in an ocean of no-name Android-based TV bins out there to customers. Whereas these units typically do present patrons with “free” streaming content material, in addition they have a tendency to incorporate factory-installed malware or require the set up of third-party apps that interact the consumer’s Web deal with in promoting fraud.
In July 2025, Google filed a “John Doe” lawsuit (PDF) towards 25 unidentified defendants dubbed the “BadBox 2.0 Enterprise,” which Google described as a botnet of over ten million Android streaming units that engaged in promoting fraud. Google stated the BADBOX 2.0 botnet, along with compromising a number of forms of units prior to buy, can even infect units by requiring the obtain of malicious apps from unofficial marketplaces.
A number of the unofficial Android units flagged by Google as a part of the Badbox 2.0 botnet are nonetheless broadly on the market at main e-commerce distributors. Picture: Google.
A number of of the Android streaming units flagged in Google’s lawsuit are nonetheless on the market on prime U.S. retail websites. For instance, trying to find the “X88Pro 10” and the “T95” Android streaming bins finds each proceed to be peddled by Amazon sellers.
Google’s lawsuit got here on the heels of a June 2025 advisory from the Federal Bureau of Investigation (FBI), which warned that cyber criminals had been gaining unauthorized entry to residence networks by both configuring the merchandise with malicious software program previous to the consumer’s buy, or infecting the system because it downloads required purposes that include backdoors, often in the course of the set-up course of.
“As soon as these compromised IoT units are linked to residence networks, the contaminated units are prone to turning into a part of the BADBOX 2.0 botnet and residential proxy companies recognized for use for malicious exercise,” the FBI stated.
The FBI stated BADBOX 2.0 was found after the unique BADBOX marketing campaign was disrupted in 2024. The unique BADBOX was recognized in 2023, and primarily consisted of Android working system units that had been compromised with backdoor malware prior to buy.
Riley Kilmer is founding father of Spur, an organization that tracks residential proxy networks. Kilmer stated Badbox 2.0 was used as a distribution platform for IPidea, a China-based entity that’s now the world’s largest residential proxy community.
Kilmer and others say IPidea is merely a rebrand of 911S5 Proxy, a China-based proxy supplier sanctioned final yr by the U.S. Division of the Treasury for working a botnet that helped criminals steal billions of {dollars} from monetary establishments, bank card issuers, and federal lending applications (the U.S. Division of Justice additionally arrested the alleged proprietor of 911S5).
How are most IPidea clients utilizing the proxy service? In accordance with the proxy detection service Synthient, six of the highest ten locations for IPidea proxies concerned visitors that has been linked to both advert fraud or credential stuffing (account takeover makes an attempt).
Kilmer stated corporations like Grass are in all probability being truthful after they say that a few of their clients are corporations performing internet scraping to coach synthetic intelligence efforts, as a result of an excessive amount of content material scraping which finally advantages AI corporations is now leveraging these proxy networks to additional obfuscate their aggressive data-slurping exercise. By routing this unwelcome visitors via residential IP addresses, Kilmer stated, content material scraping companies could make it far trickier to filter out.
“Net crawling and scraping has at all times been a factor, however AI made it like a commodity, information that needed to be collected,” Kilmer informed KrebsOnSecurity. “All people needed to monetize their very own information pots, and the way they monetize that’s completely different throughout the board.”
SOME FRIENDLY ADVICE
Merchandise like Superbox are drawing elevated curiosity from customers as extra fashionable community tv reveals and sportscasts migrate to subscription streaming companies, and as folks start to understand they’re spending as a lot or extra on streaming companies than they beforehand paid for cable or satellite tv for pc TV.
These streaming units from no-name know-how distributors are one other instance of the maxim, “If one thing is free, you’re the product,” which means the corporate is earning money by promoting entry to and/or details about its customers and their information.
Superbox house owners may counter, “Free? I paid $400 for that system!” However bear in mind: Simply since you paid so much for one thing doesn’t imply you might be finished paying for it, or that by some means you’re the just one who may be worse off from the transaction.
It could be that many Superbox clients don’t care if somebody makes use of their Web connection to tunnel visitors for advert fraud and account takeovers; for them, it beats paying for a number of streaming companies every month. My guess, nevertheless, is that fairly just a few individuals who purchase (or are gifted) these merchandise have little understanding of the discount they’re making after they plug them into an Web router.
Superbox performs some severe linguistic gymnastics to say its merchandise don’t violate copyright legal guidelines, and that its clients alone are accountable for understanding and observing any native legal guidelines on the matter. Nevertheless, purchaser beware: In the event you’re a resident of america, you must know that utilizing these units for unauthorized streaming violates the Digital Millennium Copyright Act (DMCA), and may incur authorized motion, fines, and potential warnings and/or suspension of service by your Web service supplier.
In accordance with the FBI, there are a number of indicators to search for that will point out a streaming system you personal is malicious, together with:
-The presence of suspicious marketplaces the place apps are downloaded.
-Requiring Google Play Defend settings to be disabled.
-Generic TV streaming units marketed as unlocked or able to accessing free content material.
-IoT units marketed from unrecognizable manufacturers.
-Android units that aren’t Play Defend licensed.
-Unexplained or suspicious Web visitors.
This explainer from the Digital Frontier Basis delves a bit deeper into every of the potential signs listed above.
