Investigation reveals media streaming devices sold at major U.S. retailers silently tunnel third-party internet traffic, including potentially stolen credentials and enterprise security bypass operations through subscribers’ home broadband connections

PALO ALTO, Calif., May 28, 2026 /PRNewswire/ — Plume Design, Inc. (“Plume”), the global subscriber experience platform for more than 450 Internet Service Providers (ISPs) across 58 countries, today released a report that uncovers significant security concerns found in SuperBox Android streaming devices sold at major U.S. retailers, which contain dormant software that when activated converts consumers’ home internet connections into nodes in a residential proxy network or SuperProxy. The proxy routes unknown third-party traffic that includes potentially stolen credentials, account takeover materials and enterprise security bypass operations through subscriber households without their knowledge or consent. The report, based on a months-long investigation, is the first in a series from Plume’s Security Labs.

“The average connected home is becoming increasingly complex, more like a corporate network, and threats like this one illustrate the need for significantly enhanced levels of intelligence and security,” said Chris Griffiths, Chief Technology Officer at Plume. “ISPs are better situated than ever to be on the forefront of detecting and resolving these issues. By leveraging AI and large-scale network orchestration across hundreds of millions of devices, we can help ISPs spot anomalies that individual households or traditional security tools often miss, and act on them before they spread.”

Plume manages one of the most comprehensive data sets in the telecommunications industry, monitoring more than 500 million connected devices across 40 million households globally. After an alert from a customer, Plume’s Network Operations Center flagged anomalous outbound traffic from an unusually high number of streaming devices across its network. The traffic volume was sufficient to destabilize residential networks, prompting Plume’s Security Labs to launch a comprehensive technical investigation into streaming devices, spanning multiple models, across its user base.

“The SuperProxy investigation is a wake-up call,” said Eric Svenson, Vice President, Technology Engineering and Operations at Armstrong, (a multi-state operator based in Pennsylvania). “Consumer devices are being weaponized inside our subscribers’ homes, and as their ISP, we have both the responsibility and the vantage point to do something about it. Plume’s research is the kind of partnership our industry needs more of; work that protects Armstrong customers today and sets a higher standard for what every subscriber should expect from their provider.”

“These devices ship with remote access and full administrative control, wide open and require no password, no authentication, no user approval,” said Griffiths. “Unfortunately, this isn’t limited to a single product. The same residential proxy software was used in other types of consumer media streaming devices and also used in other malicious campaigns such as the Vo1d botnet, which demonstrates this is a broader supply-chain problem across the streaming ecosystem.”

Five Key Findings

A streaming app secretly turns the device into a proxy network node. One of the apps available through SuperBox’s custom application store, Cyberflix TV, contains hidden proxy software called Popanet that silently registers the device with a remote command server and begins relaying foreign internet traffic through the subscriber’s home connection. Plume’s telemetry recorded tens of thousands of outbound connections per device per day to thousands of distinct destinations.

Sensitive credentials and security bypass attempts are flowing through subscriber homes. Researchers intercepted the actual traffic being routed through the proxy and found sensitive login credentials for gaming platforms, messaging app verification codes that could be used for real-time account takeovers, deliberate attempts to defeat enterprise security systems and large-scale automated web scraping, all passing through consumer broadband connections without the subscriber’s knowledge.

Plume mapped more than 250 proxy server addresses. Researchers fully reverse-engineered Popanet’s command-and-control protocol — the first publicly known teardown of this system — and mapped more than 250 verified server addresses across multiple hosting providers, revealing a professionally built proxy operation.

A security flaw in the proxy’s own code exposes the home network. The proxy attempts to block access to the subscriber’s local network, but contains a bypass that was confirmed through live testing. Remote proxy users can exploit this flaw to reach the device’s own internal services, potentially extending the compromise beyond the device to the home network itself.

SuperBox’s custom app store bypasses all standard Android safety checks. The store installs software silently with full administrative privileges: no security verification, no warnings and no user approval. Its catalog is controlled by the store’s operator, not by Google nor the device owner.

Plume’s Approach

Plume is identifying and isolating these proxies for blocking at multiple levels and sharing intelligence with its ISP customers. Monitoring these proxies is extending Plume’s detection capabilities to additional threat types including Distributed Denial of Service (DDoS) tools and botnets.

Multi-phased Research

This is Part 1 of a three-part investigative series into SuperBox and the hidden security risks it presents inside subscriber homes. Part 2 will expose the malware ecosystem exploiting subscriber devices, including botnet agents and competing proxy SDKs, and detail how Plume helps ISPs detect and block these threats. Part 3 will examine the content delivery infrastructure behind SuperBox’s “latest movies” promise, presenting technical evidence that raises serious questions about the origin of that content.

The full research paper is available at:

plume.com/resources/superproxy-the-unhealthy-marriage-of-superbox-and-residential-proxies

About Plume
Plume established the first managed WiFi platform for ISPs in 2016, enabling the company to scale across the globe and expand into managing the entire subscriber experience, including approximately 500 million connected devices, in 40 million homes, on behalf of 450 ISPs, across 58 countries. By integrating managed WiFi, cybersecurity and customer care, Plume created the first open, hardware-agnostic SaaS Subscriber Experience Platform for ISPs. Powered by an unmatched global dataset and AI optimization, the Plume Platform builds subscriber confidence through improved Wi-Fi experiences, seamless new service implementation and proactive customer care. Plume’s open-source framework OpenSync^® is pre-integrated and supported on the leading silicon, CPE and platform SDKs, and supports leading industry standards like RDK-B and prplWave. Discover more about how Plume is empowering ISPs at plume.com.

About Armstrong
For over 80 years, Armstrong has been a leader in telecommunications technology and innovation. Founded in 1946 by Jud L. Sedwick as Armstrong County Line Construction, Armstrong remains a family-owned and operated company deeply committed to the communities it serves.

Armstrong’s world-class fiber network spans six states—Pennsylvania, Ohio, Maryland, New York, West Virginia, and Kentucky—delivering advanced infrastructure with a focus on exceptional customer service and satisfaction. The company provides 24/7 local support, transparent pricing, and complimentary technical service to residential and business customers throughout its service area.

For more information on Armstrong’s Advanced Fiber Network, please visit ArmstrongOneWire.com/network.