On the surface, Superbox media streaming devices, readily available at major retailers like BestBuy and Walmart, present an enticing offer: unlimited access to over 2,200 pay-per-view and streaming services, including Netflix, ESPN, and Hulu, all for a single, upfront payment of approximately $400. However, security experts are sounding the alarm, revealing that these seemingly convenient TV boxes are equipped with intrusive software. This software compels users’ networks to inadvertently relay Internet traffic for others, traffic frequently linked to illicit cybercriminal activities such as advertising fraud and account takeovers.

The Superbox positions itself as an economical solution for households eager to stream an extensive array of television and movie content without the burden of recurring monthly subscription fees. This is achieved through a one-time purchase of the device, priced at nearly $400. A recent blog post on Superbox’s website, titled "Cheap Cable TV for Low Income: Watch TV, No Monthly Bills," directly addresses this appeal, asking, "Tired of confusing cable bills and hidden fees?" It further asserts, "Real cheap cable TV for low income solutions does exist," promising to guide readers toward alternatives that eliminate monthly bills, from free over-the-air options to devices requiring only a one-time purchase. Crucially, Superbox boldly claims that its usage does not infringe upon U.S. copyright law.

The company’s website maintains a stance that SuperBox is comparable to any other Android TV box on the market, and that they cannot dictate the software customers choose to install. They state, "And you won’t encounter a law issue unless uploading, downloading, or broadcasting content to a large group."

Technically, the sale and operation of the Superbox itself are not illegal. The device can function perfectly well as a legitimate streaming platform for services to which users already possess paid subscriptions. However, this is not the primary motivation for consumers purchasing these devices for $400. The allure lies in accessing the advertised 2,200+ channels without incurring additional costs, which necessitates the installation of specific apps designed for the Superbox.

Superbox’s homepage prominently features a disclaimer stating they "do not sell access to or preinstall any apps that bypass paywalls or provide access to unauthorized content." They clarify that they merely supply the hardware, leaving app selection to the customer. The notice continues, "We only sell the hardware device. Customers must use official apps and licensed services; unauthorized use may violate copyright law."

While Superbox’s assertion about selling only hardware might hold some technical truth, there’s a critical caveat regarding customers needing to use "official apps and licensed services." To access the thousands of channels, the Superbox must be configured to update itself. The initial step in this process involves removing Google’s official Play Store and replacing it with an unofficial alternative, often referred to as the "App Store" or "Blue TV Store." This replacement is necessary because the Superbox does not run a Google-certified Android TV system, and its specialized apps are incompatible with the official Play Store. Only after this unofficial store is installed do the Superbox-specific streaming apps become available for download, operating entirely outside of Google’s regulated app ecosystem.

Security experts explain that while these Android streaming boxes generally fulfill their promise of providing access to content that would typically require a paid subscription, the apps enabling this access also inadvertently ensnare the user’s Internet connection. This creates a distributed residential proxy network, effectively turning these devices into relays for other users’ traffic.

Ashley, a senior solutions engineer at Censys, a company specializing in indexing Internet-connected devices and services, shared her findings. Censys was actively studying several Superbox models in their malware lab, including one purchased directly from BestBuy. Ashley expressed her surprise, noting, "I’m sure a lot of people are thinking, ‘Hey, how bad could it be if it’s for sale at the big box stores?’ But the more I looked, things got weirder and weirder."

During her examination, Ashley discovered that the Superbox devices immediately established connections to a server belonging to Tencent QQ, a Chinese instant messaging service, and a residential proxy service known as Grass IO.

Grass, also accessible via getgrass[.]io, describes itself as "a decentralized network that allows users to earn rewards by sharing their unused Internet bandwidth with AI labs and other companies." Their website elaborates that "Buyers seek unused internet bandwidth to access a more diverse range of IP addresses, which enables them to see certain websites from a retail perspective. By utilizing your unused internet bandwidth, they can conduct market research, or perform tasks like web scraping to train AI."

Andrej Radonjic, founder of Grass, stated via Twitter/X that he had no prior knowledge of Superbox and that Grass has no affiliation with the device manufacturer. He commented, "It looks like these boxes are distributing an unethical proxy network which people are using to try to take advantage of Grass. The point of grass is to be an opt-in network. You download the grass app to monetize your unused bandwidth. There are tons of sketchy SDKs out there that hijack people’s bandwidth to help webscraping companies." Radonjic added that Grass has implemented measures to identify and penalize network abusers, preventing them from earning rewards.

Superbox’s purported parent company, Super Media Technology Company Ltd., lists a UPS store in Fountain Valley, California, as its street address and did not respond to multiple inquiries.

A teardown by behindmlm.com, a blog focusing on multi-level marketing (MLM) schemes, reveals that Grass’s compensation structure is built around "grass points." These points are earned through app usage and by recruiting other users. While affiliates can earn points for usage, reaching higher tiers to redeem these points for cryptocurrency requires significant recruitment or accumulating millions of points. Radonjic acknowledged that Grass has undergone "a handful of corporate clean-ups" but characterized them as administrative changes with no operational impact, stating they reflect "normal early-stage restructuring."

Ashley’s investigation into the Superbox revealed further red flags. The device’s initial connection to Tencent QQ was concerning, but she also found powerful network analysis and remote access tools like Tcpdump and Netcat pre-installed. "This thing DNS hijacked my router, did ARP poisoning to the point where things fall off the network so they can assume that IP, and attempted to bypass controls," she reported. "I have root on all of them now, and they actually have a folder called ‘secondstage.’ These devices also have Netcat and Tcpdump on them, and yet they are supposed to be streaming devices."

A cursory online search confirms the widespread availability of various Superbox models and similar Android streaming devices across major e-commerce platforms like Amazon, BestBuy, Newegg, and Walmart. While these products are typically sold by third-party merchants, many utilize the platforms’ fulfillment services. Newegg.com, for instance, lists over three dozen Superbox models, and Ashley noted that eBay is particularly active, featuring Superbox under its Spanish equivalent, "SuperCaja." Amazon has reportedly taken steps to remove Superbox listings but similar devices can still be found under broader categories like "modem and router combo," a description that Ashley suggests is more fitting given the devices’ actual behavior.

Superbox’s marketing strategy appears to rely heavily on lesser-known influencers on platforms like YouTube and TikTok. Ashley observed that Superbox compensates these influencers with an unusually high 50% commission on each device sold, suggesting that the primary goal is network building rather than just monetary profit.

The Superbox is merely one example within a vast market of no-name Android-based TV boxes. While these devices often deliver on their promise of "free" streaming content, they frequently come pre-loaded with malware or require the installation of third-party apps that compromise the user’s Internet connection for advertising fraud.

In July 2025, Google initiated a "John Doe" lawsuit against 25 unidentified defendants, collectively referred to as the "BadBox 2.0 Enterprise." Google alleged this botnet comprised over ten million Android streaming devices engaged in advertising fraud. The suit detailed that the BadBox 2.0 botnet could compromise devices prior to purchase or infect them through malicious app downloads from unofficial marketplaces. Alarmingly, several Android streaming devices identified in Google’s lawsuit, such as the X88Pro 10 and T95, remain available for sale on major U.S. retail sites.

This lawsuit followed a June 2025 advisory from the Federal Bureau of Investigation (FBI), which warned of cybercriminals gaining unauthorized access to home networks by pre-installing malicious software or infecting devices during the setup process through backdoor-laden applications. The FBI cautioned that compromised IoT devices connected to home networks are vulnerable to becoming part of botnets like BADBOX 2.0 and residential proxy services used for malicious activities. The FBI noted that BADBOX 2.0 was discovered after the disruption of the original BADBOX campaign in 2024, which primarily involved Android devices compromised with backdoor malware before purchase.

Riley Kilmer, founder of Spur, a company that tracks residential proxy networks, stated that Badbox 2.0 served as a distribution platform for IPidea, a China-based entity now recognized as the world’s largest residential proxy network. Kilmer and others suggest that IPidea is a rebranding of 911S5 Proxy, a Chinese proxy provider previously sanctioned by the U.S. Department of the Treasury for operating a botnet that facilitated billions of dollars in fraud. According to the proxy detection service Synthient, a significant portion of IPidea’s traffic is linked to ad fraud and credential stuffing.

Kilmer believes that companies like Grass are likely truthful when they claim some of their customers are involved in web scraping for AI training. He explains that much of the content scraping that benefits AI companies now leverages these proxy networks to obscure their data-gathering activities, making it harder to filter out by routing traffic through residential IP addresses. "Web crawling and scraping has always been a thing, but AI made it like a commodity, data that had to be collected," Kilmer commented. "Everybody wanted to monetize their own data pots, and how they monetize that is different across the board."

The increasing migration of popular network television shows and sportscasts to subscription streaming services has fueled consumer interest in devices like Superbox, as people realize their streaming service costs are rivaling or exceeding their previous cable bills. These streaming devices from obscure technology vendors exemplify the adage, "If something is free, you are the product." This means the company is profiting by selling access to or information about its users and their data.

Superbox owners might argue, "Free? I paid $400 for that device!" However, the cost of the device does not necessarily represent the end of the financial burden, nor does it preclude negative consequences for the user or their network. While many Superbox users may not object to their Internet connection being used for ad fraud and account takeovers, viewing it as a trade-off for avoiding multiple monthly streaming subscriptions, a considerable number of individuals who purchase or receive these devices likely have little understanding of the implicit bargain they are making when connecting them to their home routers.

Superbox employs sophisticated linguistic strategies to assert that its products do not violate copyright laws and that customers bear sole responsibility for adhering to local regulations. However, U.S. residents should be aware that using these devices for unauthorized streaming constitutes a violation of the Digital Millennium Copyright Act (DMCA) and can result in legal action, fines, and potential service interruptions or warnings from their Internet service provider.

The FBI has outlined several indicators that may suggest a streaming device is malicious:

• The presence of suspicious app marketplaces.
• Requiring the disabling of Google Play Protect settings.
• Generic TV streaming devices advertised as "unlocked" or capable of accessing free content.
• IoT devices advertised from unrecognizable brands.
• Android devices that are not Play Protect certified.
• Unexplained or suspicious Internet traffic.

The Electronic Frontier Foundation offers a more detailed explanation of these potential symptoms.