On the surface, the Superbox<\/strong> media streaming devices for sale at retailers like BestBuy<\/strong> and Walmart<\/strong> may seem like a steal: They offer unlimited access to more than 2,200 pay-per-view and streaming services like Netflix<\/strong>, ESPN<\/strong> and Hulu<\/strong>, all for a one-time fee of around $400. But security experts warn these TV boxes require intrusive software that forces the user\u2019s network to relay Internet traffic for others, traffic that is often tied to cybercrime activity such as advertising fraud and account takeovers.<\/p>\n Superbox media streaming boxes for sale on Walmart.com.<\/p>\n<\/div>\n Superbox bills itself as an affordable way for households to stream all of the television and movie content they could possibly want, without the hassle of monthly subscription fees \u2014 for a one-time payment of nearly $400.<\/p>\n \u201cTired of confusing cable bills and hidden fees?,\u201d Superbox\u2019s website asks in a recent blog post titled, \u201cCheap Cable TV for Low Income: Watch TV, No Monthly Bills.\u201d<\/p>\n \u201cReal cheap cable TV for low income solutions does exist,\u201d the blog continues. \u201cThis guide breaks down the best alternatives to stop overpaying, from free over-the-air options to one-time purchase devices that eliminate monthly bills.\u201d<\/p>\n Superbox claims that watching a stream of movies, TV shows, and sporting events won\u2019t violate U.S. copyright law.<\/p>\n \u201cSuperBox is just like any other Android TV box on the market, we can not control what software customers will use,\u201d the company\u2019s website maintains. \u201cAnd you won\u2019t encounter a law issue unless uploading, downloading, or broadcasting content to a large group.\u201d<\/p>\n A blog post from the Superbox website.<\/p>\n<\/div>\n There is nothing illegal about the sale or use of the Superbox itself, which can be used strictly as a way to stream content at providers where users already have a paid subscription. But that is not why people are shelling out $400 for these machines. The only way to watch those 2,200+ channels for free with a Superbox is to install several apps made for the device that enable them to stream this content.<\/p>\n Superbox\u2019s homepage includes a prominent message stating the company does \u201cnot sell access to or preinstall any apps that bypass paywalls or provide access to unauthorized content.\u201d The company explains that they merely provide the hardware, while customers choose which apps to install.<\/p>\n \u201cWe only sell the hardware device,\u201d the notice states. \u201cCustomers must use official apps and licensed services; unauthorized use may violate copyright law.\u201d<\/p>\n Superbox is technically correct here, except for maybe the part about how customers must use official apps and licensed services: Before the Superbox can stream those thousands of channels, users must configure the device to update itself, and the first step involves ripping out Google\u2019s official Play store and replacing it with something called the \u201cApp Store\u201d or \u201cBlue TV Store.\u201d<\/p>\n Superbox does this because the device does not use the official Google-certified Android TV system, and its apps will not load otherwise. Only after the Google Play store has been supplanted by this unofficial App Store do the various movie and video streaming apps that are built specifically for the Superbox appear available for download (again, outside of Google\u2019s app ecosystem).<\/p>\n Experts say while these Android streaming boxes generally do what they advertise \u2014 enabling buyers to stream video content that would normally require a paid subscription \u2014 the apps that enable the streaming also ensnare the user\u2019s Internet connection in a distributed residential proxy network that uses the devices to relay traffic from others.<\/p>\n Ashley<\/strong> is a senior solutions engineer at Censys<\/strong>, a cyber intelligence company that indexes Internet-connected devices, services and hosts. Ashley requested that only her first name be used in this story.<\/p>\n In a recent video interview, Ashley showed off several Superbox models that Censys was studying in the malware lab \u2014 including one purchased off the shelf at BestBuy.<\/p>\n \u201cI\u2019m sure a lot of people are thinking, \u2018Hey, how bad could it be if it\u2019s for sale at the big box stores?’\u201d she said. \u201cBut the more I looked, things got weirder and weirder.\u201d<\/p>\n Ashley said she found the Superbox devices immediately contacted a server at the Chinese instant messaging service Tencent<\/strong> QQ<\/strong>, as well as a residential proxy service called Grass IO<\/strong>.<\/p>\n Also known as getgrass[.]io, Grass says it is \u201ca decentralized network that allows users to earn rewards by sharing their unused Internet bandwidth with AI labs and other companies.\u201d<\/p>\n \u201cBuyers seek unused internet bandwidth to access a more diverse range of IP addresses, which enables them to see certain websites from a retail perspective,\u201d the Grass website explains. \u201cBy utilizing your unused internet bandwidth, they can conduct market research, or perform tasks like web scraping to train AI.\u201d\u00a0 Reached via Twitter\/X, Grass founder Andrej Radonjic<\/strong> told KrebsOnSecurity he\u2019d never heard of a Superbox, and that Grass has no affiliation with the device maker.<\/p>\n \u201cIt looks like these boxes are distributing an unethical proxy network which people are using to try to take advantage of Grass,\u201d Radonjic said. \u201cThe point of grass is to be an opt-in network. You download the grass app to monetize your unused bandwidth. There are tons of sketchy SDKs out there that hijack people\u2019s bandwidth to help webscraping companies.\u201d<\/p>\n Radonjic said Grass has implemented \u201ca robust system to identify network abusers,\u201d and that if it discovers anyone trying to misuse or circumvent its terms of service, the company takes steps to stop it and prevent those users from earning points or rewards.<\/p>\n Superbox\u2019s parent company, Super Media Technology Company Ltd.<\/strong>, lists its street address as a UPS store in Fountain Valley, Calif. The company did not respond to multiple inquiries.<\/p>\n According to this teardown by behindmlm.com<\/a>, a blog that covers multi-level marketing (MLM) schemes, Grass\u2019s compensation plan is built around \u201cgrass points,\u201d which are earned through the use of the Grass app and through app usage by recruited affiliates. Affiliates can earn 5,000 grass points for clocking 100 hours usage of Grass\u2019s app, but they must progress through ten affiliate tiers or ranks before they can redeem their grass points (presumably for some type of cryptocurrency). The 10th or \u201cTitan\u201d tier requires affiliates to accumulate a whopping 50 million grass points, or recruit at least 221 more affiliates<\/em>.<\/p>\n Radonjic said Grass\u2019s system has changed in recent months, and confirmed the company has a referral program where users can earn Grass Uptime Points by contributing their own bandwidth and\/or by inviting other users to participate.<\/p>\n \u201cUsers are not required to participate in the referral program to earn Grass Uptime Points or to receive Grass Tokens,\u201d Radonjic said. \u201cGrass is in the process of phasing out the referral program and has introduced an updated Grass Points model.\u201d<\/p>\n A review of the Terms and Conditions page for getgrass[.]io at the Wayback Machine shows Grass\u2019s parent company has changed names at least five times in the course of its two-year existence. Searching the Wayback Machine on getgrass[.]io shows that in June 2023 Grass was owned by a company called Wynd Network<\/strong>. By March 2024, the owner was listed as Lower Tribeca Corp.<\/strong> in the Bahamas. By August 2024, Grass was controlled by a Half Space Labs Limited<\/strong>, and in November 2024 the company was owned by Grass OpCo (BVI) Ltd<\/strong>. Currently, the Grass website says its parent is just Grass OpCo Ltd<\/strong> (no BVI in the name).<\/p>\n Radonjic acknowledged that Grass has undergone \u201ca handful of corporate clean-ups over the last couple of years,\u201d but described them as administrative changes that had no operational impact. \u201cThese reflect normal early-stage restructuring as the project moved from initial development\u2026into the current structure under the Grass Foundation,\u201d he said.<\/p>\n <\/span><\/p>\n Censys\u2019s Ashley said the phone home to China\u2019s Tencent QQ instant messaging service was the first red flag with the Superbox devices she examined. She also discovered the streaming boxes included powerful network analysis and remote access tools, such as Tcpdump<\/a> and Netcat<\/a>.<\/p>\n \u201cThis thing DNS hijacked my router, did ARP poisoning<\/a> to the point where things fall off the network so they can assume that IP, and attempted to bypass controls,\u201d she said. \u201cI have root on all of them now, and they actually have a folder called \u2018secondstage.\u2019 These devices also have Netcat and Tcpdump on them, and yet they are supposed to be streaming devices.\u201d<\/p>\n A quick online search shows various Superbox models and many similar Android streaming devices for sale at a wide range of top retail destinations, including Amazon<\/strong>, BestBuy<\/strong>, Newegg<\/strong>, and Walmart<\/strong>. Newegg.com, for example, currently lists more than three dozen Superbox models. In all cases, the products are sold by third-party merchants on these platforms, but in many instances the fulfillment comes from the e-commerce platform itself.<\/p>\n \u201cNewegg is pretty bad now with these devices,\u201d Ashley said. \u201cEbay is the funniest, because they have Superbox in Spanish \u2014 the SuperCaja \u2014 which is very popular.\u201d<\/p>\n Superbox devices for sale via Newegg.com.<\/p>\n<\/div>\n Ashley said Amazon recently cracked down on Android streaming devices branded as Superbox, but that those listings can still be found under the more generic title \u201cmodem and router combo<\/a>\u201d (which may be slightly closer to the truth about the device\u2019s behavior).<\/p>\n Superbox doesn\u2019t advertise its products in the conventional sense. Rather, it seems to rely on lesser-known influencers on places like Youtube and TikTok to promote the devices. Meanwhile, Ashley said, Superbox pays those influencers 50 percent of the value of each device they sell.<\/p>\n \u201cIt\u2019s weird to me because influencer marketing usually caps compensation at 15 percent, and it means they don\u2019t care about the money,\u201d she said. \u201cThis is about building their network.\u201d<\/p>\n A TikTok influencer casually mentions and promotes Superbox while chatting with her followers over a glass of wine.<\/p>\n<\/div>\n As plentiful as the Superbox is on e-commerce sites, it is just one brand in an ocean of no-name Android-based TV boxes available to consumers. While these devices generally do provide buyers with \u201cfree\u201d streaming content, they also tend to include factory-installed malware or require the installation of third-party apps that engage the user\u2019s Internet address in advertising fraud.<\/p>\n In July 2025, Google filed a \u201cJohn Doe\u201d lawsuit<\/a> (PDF) against 25 unidentified defendants dubbed the \u201cBadBox 2.0 Enterprise<\/strong>,\u201d which Google described as a botnet of over ten million Android streaming devices that engaged in advertising fraud. Google said the BADBOX 2.0 botnet, in addition to compromising multiple types of devices prior to purchase, can also infect devices by requiring the download of malicious apps from unofficial marketplaces.<\/p>\n Some of the unofficial Android devices flagged by Google as part of the Badbox 2.0 botnet are still widely for sale at major e-commerce vendors. Image: Google.<\/p>\n<\/div>\n Several of the Android streaming devices flagged in Google\u2019s lawsuit are still for sale on top U.S. retail sites. For example, searching for the \u201cX88Pro 10<\/a>\u201d and the \u201cT95<\/a>\u201d Android streaming boxes finds both continue to be peddled by Amazon sellers.<\/p>\n Google\u2019s lawsuit came on the heels of a June 2025 advisory<\/a> from the Federal Bureau of Investigation<\/strong> (FBI), which warned that cyber criminals were gaining unauthorized access to home networks by either configuring the products with malicious software prior to the user\u2019s purchase, or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process.<\/p>\n \u201cOnce these compromised IoT devices are connected to home networks, the infected devices are susceptible to becoming part of the BADBOX 2.0 botnet and residential proxy services known to be used for malicious activity,\u201d the FBI said.<\/p>\n The FBI said BADBOX 2.0 was discovered after the original BADBOX campaign was disrupted in 2024. The original BADBOX was identified in 2023, and primarily consisted of Android operating system devices that were compromised with backdoor malware prior to purchase.<\/p>\n Riley Kilmer<\/strong> is founder of Spur<\/strong>, a company that tracks residential proxy networks. Kilmer said Badbox 2.0 was used as a distribution platform for IPidea<\/strong>, a China-based entity that is now the world\u2019s largest residential proxy network.<\/p>\n Kilmer and others say IPidea is merely a rebrand of 911S5 Proxy<\/a>, a China-based proxy provider sanctioned last year<\/a> by the U.S. Department of the Treasury<\/strong> for operating a botnet that helped criminals steal billions of dollars from financial institutions, credit card issuers, and federal lending programs (the U.S. Department of Justice<\/strong> also arrested the alleged owner of 911S5).<\/p>\n How are most IPidea customers using the proxy service? According to the proxy detection service Synthient<\/strong>, six of the top ten destinations for IPidea proxies involved traffic that has been linked to either ad fraud or credential stuffing (account takeover attempts).<\/p>\n Kilmer said companies like Grass are probably being truthful when they say that some of their customers are companies performing web scraping to train artificial intelligence efforts<\/a>, because a great deal of content scraping which ultimately benefits AI companies is now leveraging these proxy networks to further obfuscate their aggressive data-slurping activity. By routing this unwelcome traffic through residential IP addresses, Kilmer said, content scraping firms can make it far trickier to filter out.<\/p>\n \u201cWeb crawling and scraping has always been a thing, but AI made it like a commodity, data that had to be collected,\u201d Kilmer told KrebsOnSecurity.\u00a0\u201cEverybody wanted to monetize their own data pots, and how they monetize that is different across the board.\u201d<\/p>\n Products like Superbox are drawing increased interest from consumers as more popular network television shows and sportscasts migrate to subscription streaming services, and as people begin to realize they\u2019re spending as much or more on streaming services than they previously paid for cable or satellite TV.<\/p>\n These streaming devices from no-name technology vendors are another example of the maxim, \u201cIf something is free, you are the product,\u201d meaning the company is making money by selling access to and\/or information about its users and their data.<\/p>\n Superbox owners might counter, \u201cFree? I paid $400 for that device!\u201d But remember: Just because you paid a lot for something doesn\u2019t mean you are done paying for it, or that somehow you are the only one who might be worse off from the transaction.<\/p>\n It may be that many Superbox customers don\u2019t care if someone uses their Internet connection to tunnel traffic for ad fraud and account takeovers; for them, it beats paying for multiple streaming services each month. My guess, however, is that quite a few people who buy (or are gifted) these products have little understanding of the bargain they\u2019re making when they plug them into an Internet router.<\/p>\n Superbox performs some serious linguistic gymnastics to claim its products don\u2019t violate copyright laws, and that its customers alone are responsible for understanding and observing any local laws on the matter. However, buyer beware: If you\u2019re a resident of the United States, you should know that using these devices for unauthorized streaming violates the Digital Millennium Copyright Act<\/a> (DMCA), and can incur legal action, fines, and potential warnings and\/or suspension of service by your Internet service provider.<\/p>\n According to the FBI, there are several signs to look for that may indicate a streaming device you own is malicious, including:<\/p>\n -The presence of suspicious marketplaces where apps are downloaded.![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/11\/superbox-walmart.png?resize=744%2C404&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/11\/superbox-cheapcable.png?resize=749%2C439&ssl=1\")
<\/p>\nGET GRASSED<\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/11\/grassio.png?resize=749%2C465&ssl=1\")
<\/p>\nUNBOXING<\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/11\/superbox-newegg.png?resize=749%2C377&ssl=1\")
<\/a><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/11\/tiktok-superbox.png?resize=440%2C572&ssl=1\")
<\/p>\nBADBOX<\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/11\/badbox2-0.png?resize=747%2C439&ssl=1\")
<\/a><\/p>\nSOME FRIENDLY ADVICE<\/h2>\n
\n-Requiring Google Play Protect settings to be disabled.
\n-Generic TV streaming devices advertised as unlocked or capable of accessing free content.
\n-IoT devices advertised from unrecognizable brands.
\n-Android devices that are not Play Protect certified.
\n-Unexplained or suspicious Internet traffic.<\/p>\n