Back

Malicious SuperBox Devices Turn Homes into Proxy Nodes for Cybercriminals

Severity: High (Score: 68.0)

Sources: www.wired.com, www.foxnews.com, Kaspersky, blog.xlab.qianxin.com

Published: 2026-05-21 · Updated: 2026-05-21

Keywords: your, android, boxes, secretly, part, botnet, malicious

Severity indicators: ot, botnet

Summary

Security researchers have identified that SuperBox Android TV streaming devices, marketed as cost-effective media solutions, may secretly convert users' internet connections into proxy nodes for cybercriminal activities. These devices, sold through major retailers, initiate connections to Tencent QQ and Grass proxy services as soon as they are powered on. The firmware contains tools for network scanning, traffic analysis, and DNS hijacking, allowing them to facilitate ad fraud and other malicious activities. The devices are also capable of participating in DDoS attacks and scanning local networks for vulnerabilities. This situation has raised significant concerns about the security of low-cost streaming devices and their potential to be exploited as part of a botnet. As of May 2026, these devices remain available for purchase despite the risks associated with them. Key Points: • SuperBox devices may covertly turn home networks into proxy nodes for cybercriminals. • The devices contain malicious tools for network scanning and traffic analysis. • Security researchers warn that these devices are still being sold on major retail platforms.

Detailed Analysis

**Impact** Millions of consumers worldwide, particularly in North America and Europe, are affected by compromised Android TV streaming devices like SuperBox. These devices turn home networks into proxy nodes for cybercriminals, enabling activities such as ad fraud, credential stuffing, large-scale web scraping, and DDoS attacks. Households using these devices risk exposure of sensitive data on connected devices, including banking apps, NAS units, IP cameras, and smart locks. The infection scale creates a botnet with millions of unique IP addresses, impacting both individual users and broader internet infrastructure. **Technical Details** SuperBox devices require removal of Google’s official app ecosystem and installation of unofficial app stores, which install custom apps that route traffic through third-party proxy networks like Tencent QQ and Grass. The devices contain advanced networking tools such as Tcpdump and Netcat, perform DNS hijacking and ARP poisoning, and include folders labeled “secondstage,” indicating multi-stage malware. Firmware is compromised with backdoors potentially injected during manufacturing, linked to evolved Triada Trojan variants. The devices scan local networks for additional targets, participate in DDoS attacks, and enable unauthorized bandwidth rental. No specific CVEs were mentioned. **Recommended Response** Users should immediately disconnect SuperBox and similar devices from their networks and avoid purchasing unverified Android streaming boxes. Network defenders should monitor for unusual outbound traffic to Tencent QQ and Grass proxy services and deploy detections for DNS hijacking and ARP poisoning techniques. Blocking known proxy service domains and scanning for network scanning tools like Tcpdump and Netcat on local devices is advised. No patches are available; vigilance on network traffic and device inventories is critical.

Source articles (4)

  • Why Your Android Tv Box May Secretly Part Botnet — www.foxnews.com · 2026-05-21
    Android TV streaming boxes that promise "everything for one price" are everywhere right now. You'll see them on big retail sites, in influencer videos, and even recommended by friends who swear they'v…
  • Android Tv Streaming Boxes China Backdoor — www.wired.com · 2026-05-21
  • Kimwolf Botnet En — blog.xlab.qianxin.com · 2026-05-21
  • Malicious TV boxes: how a cheap “SuperBox” turns your home into a proxy node for cybercriminals — Kaspersky · 2026-05-20
    Netflix, Apple TV+, Disney+, Hulu, Amazon Prime, YouTube Premium… The average law-abiding family today pays for five to 10 subscriptions just to watch their shows of choice, with the monthly bill easi…

Timeline

  • 2025-12-01 — SuperBox devices surge in popularity: Marketing for SuperBox devices exploded on social media, promising unlimited streaming for a one-time fee.
  • 2025-12-15 — Security analysis reveals malicious behavior: Researchers found that SuperBox devices contact Tencent QQ and Grass proxy services upon startup, indicating compromised functionality.
  • 2026-05-20 — Kaspersky publishes findings on SuperBox: Kaspersky detailed the malicious capabilities of SuperBox devices, including traffic hijacking and DDoS attack readiness.
  • 2026-05-21 — Fox News reports on SuperBox botnet risks: Fox News highlighted the risks associated with SuperBox devices, emphasizing their use in routing internet traffic for cybercriminals.

Related entities

  • Botnet (Attack Type)
  • Credential Stuffing (Attack Type)
  • DDoS (Attack Type)
  • Malware (Attack Type)
  • Trojan (Attack Type)
  • Badbox 2.0 Botnet (Campaign)
  • cyberguy.com (Domain)
  • Triada (Malware)
  • T1046 - Network Service Discovery (Mitre Attack)
  • Android (Platform)
  • IOS (Platform)
  • Mac (Platform)
  • Windows (Platform)
  • Netcat (Tool)
  • Network Scanner (Tool)
  • Tcpdump (Tool)
  • Traffic Analyzer (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed