Login
CISA has warned that state-backed snoops and cyber-mercenaries are actively abusing commercial spyware to break into Signal and WhatsApp accounts, hijack devices, and quietly rummage through the phones of what the agency calls "high-value" users.β¦
Cock-up beats conspiracy most of the time, but that didn't stop Orkney residents wondering if a Russian warship caused their two-hour power cut.β¦
A fresh wave of ClickFix attacks is using fake Windows update screens to trick victims into downloading infostealer malware.β¦
Opinion For years, Google has seemingly indulged a corporate fetish of taking products that are beloved, then killing them. AWS has been on a different kick lately: Killing services that frankly shouldn't have seen the light of day.β¦
Hey bro πΎ
Wanna take on a friendly challenge?
I built a cloaker thatβs been flying under Metaβs radar β and I want to see if you can break it.
The challenge is simple:
π§ Try to identify any vulnerabilities or leaks in the cloaker system Iβm using.
π If you manage to break it or point out a real flaw, Iβll send you a little prize (or maybe a project if you impress me).
Hint:
The ad on Meta shows one thing...
But the landing page is completely different from the advertised offer.
Letβs see if youβre sharp enough to catch it π
Game on?
On the surface, the Superbox media streaming devices for sale at retailers like BestBuy and Walmart may seem like a steal: They offer unlimited access to more than 2,200 pay-per-view and streaming services like Netflix, ESPN and Hulu, all for a one-time fee of around $400. But security experts warn these TV boxes require intrusive software that forces the userβs network to relay Internet traffic for others, traffic that is often tied to cybercrime activity such as advertising fraud and account takeovers.
Superbox media streaming boxes for sale on Walmart.com.
Superbox bills itself as an affordable way for households to stream all of the television and movie content they could possibly want, without the hassle of monthly subscription fees β for a one-time payment of nearly $400.
βTired of confusing cable bills and hidden fees?,β Superboxβs website asks in a recent blog post titled, βCheap Cable TV for Low Income: Watch TV, No Monthly Bills.β
βReal cheap cable TV for low income solutions does exist,β the blog continues. βThis guide breaks down the best alternatives to stop overpaying, from free over-the-air options to one-time purchase devices that eliminate monthly bills.β
Superbox claims that watching a stream of movies, TV shows, and sporting events wonβt violate U.S. copyright law.
βSuperBox is just like any other Android TV box on the market, we can not control what software customers will use,β the companyβs website maintains. βAnd you wonβt encounter a law issue unless uploading, downloading, or broadcasting content to a large group.β
A blog post from the Superbox website.
There is nothing illegal about the sale or use of the Superbox itself, which can be used strictly as a way to stream content at providers where users already have a paid subscription. But that is not why people are shelling out $400 for these machines. The only way to watch those 2,200+ channels for free with a Superbox is to install several apps made for the device that enable them to stream this content.
Superboxβs homepage includes a prominent message stating the company does βnot sell access to or preinstall any apps that bypass paywalls or provide access to unauthorized content.β The company explains that they merely provide the hardware, while customers choose which apps to install.
βWe only sell the hardware device,β the notice states. βCustomers must use official apps and licensed services; unauthorized use may violate copyright law.β
Superbox is technically correct here, except for maybe the part about how customers must use official apps and licensed services: Before the Superbox can stream those thousands of channels, users must configure the device to update itself, and the first step involves ripping out Googleβs official Play store and replacing it with something called the βApp Storeβ or βBlue TV Store.β
Superbox does this because the device does not use the official Google-certified Android TV system, and its apps will not load otherwise. Only after the Google Play store has been supplanted by this unofficial App Store do the various movie and video streaming apps that are built specifically for the Superbox appear available for download (again, outside of Googleβs app ecosystem).
Experts say while these Android streaming boxes generally do what they advertise β enabling buyers to stream video content that would normally require a paid subscription β the apps that enable the streaming also ensnare the userβs Internet connection in a distributed residential proxy network that uses the devices to relay traffic from others.
Ashley is a senior solutions engineer at Censys, a cyber intelligence company that indexes Internet-connected devices, services and hosts. Ashley requested that only her first name be used in this story.
In a recent video interview, Ashley showed off several Superbox models that Censys was studying in the malware lab β including one purchased off the shelf at BestBuy.
βIβm sure a lot of people are thinking, βHey, how bad could it be if itβs for sale at the big box stores?'β she said. βBut the more I looked, things got weirder and weirder.β
Ashley said she found the Superbox devices immediately contacted a server at the Chinese instant messaging service Tencent QQ, as well as a residential proxy service called Grass IO.
Also known as getgrass[.]io, Grass says it is βa decentralized network that allows users to earn rewards by sharing their unused Internet bandwidth with AI labs and other companies.β
βBuyers seek unused internet bandwidth to access a more diverse range of IP addresses, which enables them to see certain websites from a retail perspective,β the Grass website explains. βBy utilizing your unused internet bandwidth, they can conduct market research, or perform tasks like web scraping to train AI.βΒ
Reached via Twitter/X, Grass founder Andrej Radonjic told KrebsOnSecurity heβd never heard of a Superbox, and that Grass has no affiliation with the device maker.
βIt looks like these boxes are distributing an unethical proxy network which people are using to try to take advantage of Grass,β Radonjic said. βThe point of grass is to be an opt-in network. You download the grass app to monetize your unused bandwidth. There are tons of sketchy SDKs out there that hijack peopleβs bandwidth to help webscraping companies.β
Radonjic said Grass has implemented βa robust system to identify network abusers,β and that if it discovers anyone trying to misuse or circumvent its terms of service, the company takes steps to stop it and prevent those users from earning points or rewards.
Superboxβs parent company, Super Media Technology Company Ltd., lists its street address as a UPS store in Fountain Valley, Calif. The company did not respond to multiple inquiries.
According to this teardown by behindmlm.com, a blog that covers multi-level marketing (MLM) schemes, Grassβs compensation plan is built around βgrass points,β which are earned through the use of the Grass app and through app usage by recruited affiliates. Affiliates can earn 5,000 grass points for clocking 100 hours usage of Grassβs app, but they must progress through ten affiliate tiers or ranks before they can redeem their grass points (presumably for some type of cryptocurrency). The 10th or βTitanβ tier requires affiliates to accumulate a whopping 50 million grass points, or recruit at least 221 more affiliates.
Radonjic said Grassβs system has changed in recent months, and confirmed the company has a referral program where users can earn Grass Uptime Points by contributing their own bandwidth and/or by inviting other users to participate.
βUsers are not required to participate in the referral program to earn Grass Uptime Points or to receive Grass Tokens,β Radonjic said. βGrass is in the process of phasing out the referral program and has introduced an updated Grass Points model.β
A review of the Terms and Conditions page for getgrass[.]io at the Wayback Machine shows Grassβs parent company has changed names at least five times in the course of its two-year existence. Searching the Wayback Machine on getgrass[.]io shows that in June 2023 Grass was owned by a company called Wynd Network. By March 2024, the owner was listed as Lower Tribeca Corp. in the Bahamas. By August 2024, Grass was controlled by a Half Space Labs Limited, and in November 2024 the company was owned by Grass OpCo (BVI) Ltd. Currently, the Grass website says its parent is just Grass OpCo Ltd (no BVI in the name).
Radonjic acknowledged that Grass has undergone βa handful of corporate clean-ups over the last couple of years,β but described them as administrative changes that had no operational impact. βThese reflect normal early-stage restructuring as the project moved from initial developmentβ¦into the current structure under the Grass Foundation,β he said.
Censysβs Ashley said the phone home to Chinaβs Tencent QQ instant messaging service was the first red flag with the Superbox devices she examined. She also discovered the streaming boxes included powerful network analysis and remote access tools, such as Tcpdump and Netcat.
βThis thing DNS hijacked my router, did ARP poisoning to the point where things fall off the network so they can assume that IP, and attempted to bypass controls,β she said. βI have root on all of them now, and they actually have a folder called βsecondstage.β These devices also have Netcat and Tcpdump on them, and yet they are supposed to be streaming devices.β
A quick online search shows various Superbox models and many similar Android streaming devices for sale at a wide range of top retail destinations, including Amazon, BestBuy, Newegg, and Walmart. Newegg.com, for example, currently lists more than three dozen Superbox models. In all cases, the products are sold by third-party merchants on these platforms, but in many instances the fulfillment comes from the e-commerce platform itself.
βNewegg is pretty bad now with these devices,β Ashley said. βEbay is the funniest, because they have Superbox in Spanish β the SuperCaja β which is very popular.β
Superbox devices for sale via Newegg.com.
Ashley said Amazon recently cracked down on Android streaming devices branded as Superbox, but that those listings can still be found under the more generic title βmodem and router comboβ (which may be slightly closer to the truth about the deviceβs behavior).
Superbox doesnβt advertise its products in the conventional sense. Rather, it seems to rely on lesser-known influencers on places like Youtube and TikTok to promote the devices. Meanwhile, Ashley said, Superbox pays those influencers 50 percent of the value of each device they sell.
βItβs weird to me because influencer marketing usually caps compensation at 15 percent, and it means they donβt care about the money,β she said. βThis is about building their network.β
A TikTok influencer casually mentions and promotes Superbox while chatting with her followers over a glass of wine.
As plentiful as the Superbox is on e-commerce sites, it is just one brand in an ocean of no-name Android-based TV boxes available to consumers. While these devices generally do provide buyers with βfreeβ streaming content, they also tend to include factory-installed malware or require the installation of third-party apps that engage the userβs Internet address in advertising fraud.
In July 2025, Google filed a βJohn Doeβ lawsuit (PDF) against 25 unidentified defendants dubbed the βBadBox 2.0 Enterprise,β which Google described as a botnet of over ten million Android streaming devices that engaged in advertising fraud. Google said the BADBOX 2.0 botnet, in addition to compromising multiple types of devices prior to purchase, can also infect devices by requiring the download of malicious apps from unofficial marketplaces.
Some of the unofficial Android devices flagged by Google as part of the Badbox 2.0 botnet are still widely for sale at major e-commerce vendors. Image: Google.
Several of the Android streaming devices flagged in Googleβs lawsuit are still for sale on top U.S. retail sites. For example, searching for the βX88Pro 10β and the βT95β Android streaming boxes finds both continue to be peddled by Amazon sellers.
Googleβs lawsuit came on the heels of a June 2025 advisory from the Federal Bureau of Investigation (FBI), which warned that cyber criminals were gaining unauthorized access to home networks by either configuring the products with malicious software prior to the userβs purchase, or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process.
βOnce these compromised IoT devices are connected to home networks, the infected devices are susceptible to becoming part of the BADBOX 2.0 botnet and residential proxy services known to be used for malicious activity,β the FBI said.
The FBI said BADBOX 2.0 was discovered after the original BADBOX campaign was disrupted in 2024. The original BADBOX was identified in 2023, and primarily consisted of Android operating system devices that were compromised with backdoor malware prior to purchase.
Riley Kilmer is founder of Spur, a company that tracks residential proxy networks. Kilmer said Badbox 2.0 was used as a distribution platform for IPidea, a China-based entity that is now the worldβs largest residential proxy network.
Kilmer and others say IPidea is merely a rebrand of 911S5 Proxy, a China-based proxy provider sanctioned last year by the U.S. Department of the Treasury for operating a botnet that helped criminals steal billions of dollars from financial institutions, credit card issuers, and federal lending programs (the U.S. Department of Justice also arrested the alleged owner of 911S5).
How are most IPidea customers using the proxy service? According to the proxy detection service Synthient, six of the top ten destinations for IPidea proxies involved traffic that has been linked to either ad fraud or credential stuffing (account takeover attempts).
Kilmer said companies like Grass are probably being truthful when they say that some of their customers are companies performing web scraping to train artificial intelligence efforts, because a great deal of content scraping which ultimately benefits AI companies is now leveraging these proxy networks to further obfuscate their aggressive data-slurping activity. By routing this unwelcome traffic through residential IP addresses, Kilmer said, content scraping firms can make it far trickier to filter out.
βWeb crawling and scraping has always been a thing, but AI made it like a commodity, data that had to be collected,β Kilmer told KrebsOnSecurity.Β βEverybody wanted to monetize their own data pots, and how they monetize that is different across the board.β
Products like Superbox are drawing increased interest from consumers as more popular network television shows and sportscasts migrate to subscription streaming services, and as people begin to realize theyβre spending as much or more on streaming services than they previously paid for cable or satellite TV.
These streaming devices from no-name technology vendors are another example of the maxim, βIf something is free, you are the product,β meaning the company is making money by selling access to and/or information about its users and their data.
Superbox owners might counter, βFree? I paid $400 for that device!β But remember: Just because you paid a lot for something doesnβt mean you are done paying for it, or that somehow you are the only one who might be worse off from the transaction.
It may be that many Superbox customers donβt care if someone uses their Internet connection to tunnel traffic for ad fraud and account takeovers; for them, it beats paying for multiple streaming services each month. My guess, however, is that quite a few people who buy (or are gifted) these products have little understanding of the bargain theyβre making when they plug them into an Internet router.
Superbox performs some serious linguistic gymnastics to claim its products donβt violate copyright laws, and that its customers alone are responsible for understanding and observing any local laws on the matter. However, buyer beware: If youβre a resident of the United States, you should know that using these devices for unauthorized streaming violates the Digital Millennium Copyright Act (DMCA), and can incur legal action, fines, and potential warnings and/or suspension of service by your Internet service provider.
According to the FBI, there are several signs to look for that may indicate a streaming device you own is malicious, including:
-The presence of suspicious marketplaces where apps are downloaded.
-Requiring Google Play Protect settings to be disabled.
-Generic TV streaming devices advertised as unlocked or capable of accessing free content.
-IoT devices advertised from unrecognizable brands.
-Android devices that are not Play Protect certified.
-Unexplained or suspicious Internet traffic.
This explainer from the Electronic Frontier Foundation delves a bit deeper into each of the potential symptoms listed above.
Article tags
Afraid of connecting to public Wi-Fi? Terrified to turn your Bluetooth on? You may be falling for "hacklore," tall tales about cybersecurity that distract you from real dangers. Dozens of chief security officers and ex-CISA officials have launched an effort and website to dispel these myths and show you how not to get hacked for real.β¦
Hi all,
Iβve published a technical case study analyzing a design issue in how the Binance API enforces IP whitelisting. This is not about account takeover or fund theft β itβs about a trust-boundary mismatch between the API key and the secondary listenKey used for WebSocket streams.
This is not a direct account compromise.
Itβs market-intelligence leakage, which can be extremely valuable when aggregated across many users or bot frameworks.
Many users rely on IP whitelisting as their final defensive barrier. The listenKey silently bypasses that assumption. This creates a false sense of security and enables unexpected data exposure patterns that users are not aware of.
I responsibly reported this and waited ~11 months.
The issue was repeatedly categorized as βsocial engineering,β despite clear architectural implications. Therefore, I have published the analysis openly.
A series of "trivial-to-exploit" vulnerabilities in Fluent Bit, an open source log collection tool that runs in every major cloud and AI lab, was left open for years, giving attackers an exploit chain to completely disrupt cloud services and alter data.β¦
Real estate finance business SitusAMC says thieves sneaked into its systems earlier this month and made off with confidential client data.β¦
A self-propagating malware targeting node package managers (npm) is back for a second round, according to Wiz researchers who say that more than 25,000 developers had their secrets compromised within three days.β¦
The Federal Communications Commission (FCC) has scrapped a set of telecom cybersecurity rules introduced after the Salt Typhoon espionage campaign, reversing course on measures designed to stop state-backed snoops from slipping back into America's networks.β¦
CISA has ordered US federal agencies to patch against an actively exploited Oracle Identity Manager (OIM) flaw within three weeks β a scramble made more urgent by evidence that attackers may have been abusing the bug months before a fix was released.β¦
Shai-Hulud second attack analysis: Over 300 NPM Packages and 21K Github Repos infected via Fake Bun Runtime Within Hours
Partner Content From 6th to 10th October 2025, ten exceptional cyber enthusiasts proudly flew the flag for the United Kingdom in the European Cyber Security Challenge (ECSC), held this year in the vibrant setting of Poland.β¦
FreshRSS