RiskScope
Back to Blog

Is Your Streaming Box Spying On You? The SuperBox, BadBox Botnet, and Android TV Malware Explained

The SuperBox and devices like it are sold at Walmart, Best Buy, and through your neighbour's social media. The FBI has confirmed they're part of a global botnet. Here's what these boxes actually do, who is behind them, and exactly how to protect your home network.

RiskScope Team
streaming box malware, SuperBox, BadBox botnet, Android TV security, home network security, IoT scam

The Pitch

The box showed up on Amazon. It was also on the shelf at Best Buy and Walmart. It cost around $300 and promised everything your cable company never delivered: every channel, every sport, every movie, no monthly fee. The brand was called SuperBox. The marketing showed a happy family on a couch. The influencer your friend follows gave it a glowing review.

What the box actually delivered was something else entirely.

The moment it connected to your home network, it called out to servers in China. It began scanning every other device on your network. It started flooding your router with traffic. And it quietly enrolled itself, and your internet connection, into one of the largest criminal botnets ever documented.

This is what the SuperBox is. This is what BadBox 2.0 is. And if you or someone you know has one of these devices at home, here is everything you need to know.

What Is the SuperBox?

The SuperBox is an Android-based TV streaming device sold through major retail platforms and through a sprawling network of social media influencers, real estate agents, suburban resellers, and people who found they could make good money selling boxes at farmers markets with 50% commission per sale.

It markets itself as an "unlocked" streaming device that gives you access to all channels and content without a subscription. What it actually contains is a custom Android system loaded with malware that is pre-installed in the device firmware, meaning it arrives infected before the buyer does anything.

Security researcher D3ada55, who reverse-engineered the device over the course of 2024 and 2025 and documented her findings across multiple conference talks, found the following inside the SuperBox:

  • Immediate Tencent beacon: The device calls out to Tencent QQ infrastructure the moment it boots, before any user interaction
  • ARP flooding: It poisons the network's address resolution, enabling traffic interception and device impersonation
  • Active network scanning: It runs what amounts to an nmap scan of every device on your local network
  • SCADA exploit attempts: It attempts to probe industrial control systems, a significant finding given that oil and gas workers were reportedly receiving these devices by post, unsolicited
  • TeamViewer, Netcat, and Tcpdump: Remote access and network capture tools with no legitimate reason to be on a consumer streaming device
  • Unauthenticated ADB access: Root shell access was obtained with no authentication required
  • 27 partitions on the device, only 15 visible to the user. The remaining 12 are hidden firmware sectors with unknown contents
  • A custom, multi-layer encoded app store: Compressed six to seven layers deep, designed to be difficult to analyse
  • Fake regulatory certifications: The packaging displays FCC and safety certifications that do not exist in any official database. The US import agent signed off with a QQ email address

The researcher also found that sister devices (the vSeeBox and the Magabox) exhibited identical behaviour when placed on the same test network. All three devices began communicating with each other.

The FBI Made It Official

In June 2025, the FBI issued a formal public service announcement titled Home Internet Connected Devices Facilitate Criminal Activity. The announcement confirmed that cyber-criminals were gaining unauthorised access to home networks through compromised IoT devices including, specifically, TV streaming devices.

The FBI stated:

"Most of the infected devices were manufactured in China. Cyber-criminals gained unauthorised access to home networks by either configuring the product with malicious software prior to users purchasing or infecting the device with back doors, usually during the setup process."

Named devices included the SuperBox and vSeeBox.

Despite this, the devices were not immediately removed from Amazon, Best Buy, or Walmart. Third-party marketplace listings continued to appear as fast as they were removed.

BadBox 2.0: The Bigger Picture

The SuperBox is not a standalone scam. It is part of a much larger malware infrastructure known as BadBox 2.0, documented in detail by cybersecurity firm HUMAN Security and confirmed by the FBI, Cloudflare, and Google.

BadBox was first identified in 2023 as a campaign targeting Android devices pre-infected with backdoor malware before sale. The original campaign was partially disrupted in 2024. BadBox 2.0 emerged afterward with an expanded scope.

By March 2025, HUMAN Security estimated over 1 million devices worldwide were infected. By July 2025, when Google filed a civil lawsuit against 25 unidentified defendants (the "BadBox 2.0 Enterprise"), the count had grown to over 10 million compromised Android devices globally.

The botnet's capabilities include:

  • Residential proxy abuse: Using your home internet connection as a proxy for other criminal activity, making attacks appear to originate from ordinary households rather than data centres
  • Ad fraud: Generating fake ad impressions and clicks at scale
  • Credential harvesting: Monitoring network traffic to capture login credentials
  • DDoS-as-a-service: Enrolling devices in coordinated denial-of-service attacks for hire

The Aisuru-Kimwolf botnet, confirmed to include SuperBox devices, was identified by Cloudflare as the most active DDoS botnet of 2025, responsible for over 2,000 mitigated attacks. In January 2026, it launched the largest DDoS attack ever recorded at the time: 31 terabytes per second from 2 million devices.

SuperBox devices were confirmed participants.

Your Network Is the Target, Not Just the Device

One of the most important things to understand about the SuperBox is that it does not just compromise itself. It actively attacks everything else on the same network.

When connected to your home Wi-Fi:

  • It scans every device: your phone, laptop, work computer, smart TV, printer, security camera
  • It performs ARP poisoning, allowing it to intercept traffic between devices
  • It can sit on your network and monitor credentials as you log into banking, work VPNs, or email
  • It tries to access any corporate network reachable from your connection, including VPNs

One verified case: a remote worker had a SuperBox in their home while connected to a corporate VPN. The device was actively probing the corporate network through the VPN tunnel.

Another: ISP technicians were sent out to investigate customers complaining their bandwidth allowance was maxing out with no explanation. Some customers had uploaded 4,000 gigabytes in a single day. When investigators asked whether they had a SuperBox, they did.

If a SuperBox is in a coffee shop, hotel, or restaurant (and they are being found in pho restaurants and church halls and farmers markets across the United States) then every device that connects to that Wi-Fi network is exposed.

The Distribution Network

The SuperBox spread through what the researcher describes as a multi-level marketing structure. The device's operator:

  • Recruited influencers on YouTube and social media, some with hundreds of thousands of followers, to promote the SuperBox as a lifestyle product
  • Built a tiered reseller network offering 50% commission per device sold
  • Targeted suburban demographics: the marketing showed families, not tech enthusiasts
  • Managed price enforcement through MAC address tracking and remote device deactivation, with formal "fines" for unauthorised discounting
  • Maintained an online "reseller verification tool" to reassure buyers they were dealing with a legitimate seller

The devices reached oil and gas workers (mailed to home addresses, unsolicited), a church group in upstate New York, and households across the country through cable guys, gym buddies, co-workers, and community resellers who had no idea what was inside the box.

When researchers began publishing warnings, the response was coordinated: sellers and affiliates flooded search results and comment sections with positive content. When Brian Krebs of Krebs on Security published his investigation, the researcher D3ada55 was phished by someone asking for her TCP dump logs, sent to her academic email address, which she does not publish publicly. Shortly after, her home network was DDoSed for fifteen minutes.

The people behind this know what they are doing.

How to Check If You Are Affected

Devices to check immediately: Look at every streaming device in your home, particularly any Android-based box that:

  • Came from an unfamiliar brand
  • Was described as "unlocked" or offering "all channels free"
  • Was purchased through a private reseller, social media, or marketplace listing rather than directly from a manufacturer
  • Prompted you to disable Google Play Protect during setup
  • Has an app store you do not recognise installed by default

Specific device names to check: SuperBox, vSeeBox, Magabox, T95, MXQ Pro, and similar Android TV boxes from unknown brands.

On the device itself:

  1. Open the Google Play Store (if present)
  2. Tap your profile icon > Play Protect > Settings
  3. If Play Protect certification shows "Device is not certified", treat the device as compromised

On your router:

  1. Log into your router admin panel (typically 192.168.1.1 or 192.168.0.1)
  2. Check the list of connected devices and look for anything you do not recognise
  3. Check your data usage. Unexplained spikes, particularly high upload figures, are a warning sign

Using a network monitoring app: Tools like Fing (free, iOS and Android) can scan your home network and show all connected devices, their manufacturer, and traffic behaviour. Any device making large numbers of outbound connections to unexpected IP addresses should be investigated.

What to Do If You Have One

Step 1: Disconnect it immediately. Unplug the device from both power and your network. Do not simply move it to a guest network. A guest network provides partial isolation at best and does not eliminate the threat.

Step 2: Factory reset is not sufficient. The malware in BadBox devices is embedded in the firmware, not the user-accessible software. A factory reset does not remove it. The only safe option is to stop using the device entirely.

Step 3: Change your passwords. If the device was on your network for any significant time, assume it may have observed your login credentials for banking, email, and work accounts. Change passwords from a different, trusted device.

Step 4: Reboot your router. This clears the ARP cache and severs any active connections the device had established to other devices on your network.

Step 5: Check other devices for unusual behaviour. After removing the streaming box, monitor your other devices for unexpected traffic or behaviour for a few weeks.

Step 6: Report it.

Why This Keeps Working

The SuperBox succeeded because it was designed to exploit specific psychological vulnerabilities, not technical ones.

Streaming fatigue is real. If watching a single season of a show requires accounts on five different services, people look for shortcuts. The SuperBox offered one. It also offered income: the reseller network gave ordinary people a side business that felt legitimate precisely because it came through their community rather than through an obviously shady channel.

It arrived at Best Buy. It was sold by a soccer mom. It had a certificate of authenticity in the box. It had marketing materials and a verification website. None of that is a reason to trust a device, but all of it is enough to short-circuit the scepticism most of us would otherwise apply.

The FBI, HUMAN Security, Google, Cloudflare, and Brian Krebs have all now documented this. The US DoD has opened an investigation. The evidence is unambiguous. And yet as of early 2026, these devices are still being sold.

Safe Alternatives for Streaming

If you want a legitimate streaming device that gives you broad access to content legally and without compromising your network:

Device Manufacturer Safety
Chromecast with Google TV Google Play Protect certified, regular security updates
Apple TV 4K Apple Closed ecosystem, no third-party app stores
Amazon Fire TV Stick Amazon Play Protect certified; stick to official app store
NVIDIA Shield NVIDIA Android TV with full Google certification
Roku Roku Closed platform, no Android

None of these will give you pirated content. All of them will leave your home network intact.

The Bottom Line

The SuperBox is not a cheap streaming device with a grey-area software arrangement. It is a piece of malware-laden hardware that scans your network, harvests credentials, proxies criminal traffic through your home internet connection, and enrolls itself in botnets used for record-scale cyberattacks.

The FBI has warned about it. Google has sued its operators. Security researchers have documented every layer of what it does. It has still been found on the shelves of major retailers and in homes across the world.

If you have one: disconnect it. If someone offers you one: decline. If you see one in a shared network space like a hotel, coffee shop, or restaurant, connect via mobile data instead.

The box was designed to look exactly like something you would trust. That is the whole point.

If you want to check the domain or seller website of a suspicious device or marketplace, you can run it through RiskScope. Fraudulent hardware sellers often operate through recently registered domains with no verifiable business history.

Related Reading

Sources: HUMAN Security: BadBox 2.0 Threat Intelligence, FBI PSA: Home Internet Connected Devices Facilitate Criminal Activity, IC3 PSA250605, Krebs on Security: Is Your Android TV Streaming Box Part of a Botnet?, Krebs on Security: The Kimwolf Botnet is Stalking Your Local Network, The Hacker News: BadBox 2.0 Infects 1 Million Android Devices, BleepingComputer: FBI: BADBOX 2.0 Android Malware Infects Millions, EFF: FBI Warning on IoT Devices: How to Tell If You Are Impacted, ICDC: BadBox 2.0 Case Study: Google's July 2025 Lawsuit, Darknet Diaries: Episode featuring D3ada55 on SuperBox research

Check Any Website Yourself

RiskScope is free. No signup required. Enter any domain and get an instant risk assessment.

Check a WebsiteAPI Documentation

Related Articles

Your Phone Rings. You Hear Your Child Crying. Before You Do Anything, Read This.

AI voice cloning tools can replicate anyone's voice from three seconds of audio pulled from social media. Scammers are using them to fake family emergencies and demand ransom in real time. Here is how it works, who is behind it, and the one defence that stops it cold.

Read more

Someone Emailed Saying They Found a Vulnerability on Your Website. Read This Before You Pay Anything.

If you run a website or small app, there is a good chance you will eventually receive an email from a 'security researcher' who has found a vulnerability and wants payment. Most of these are a scam with a specific name: beg bounty. Here is how to tell the difference, what to do, and how to make sure it never catches you off guard.

Read more

Got a Text About an Unpaid Toll or Traffic Fine? It Is Probably a Scam.

Millions of people have received official-looking texts claiming they owe a toll or traffic fine. The FTC issued a fresh alert about these in April 2026. The scam has a new twist: QR codes instead of links. Here is how it works, who is behind it, and what to do if you already clicked.

Read more