- New research from Plume says SuperBox Android streaming devices contain dormant software that can convert home internet connections into nodes in a residential proxy network
- Proxy nodes can route large volumes of anonymous internet traffic through home broadband connections
- That traffic can include sensitive data as well as activity tied to cyberattacks and scraping
As if ISPs didn’t have enough to worry about between Broadband Equity, Access and Deployment (BEAD) chaos and the threat from satellite broadband providers, the very devices that bring the internet to their customers’ homes are potentially dangerous due to hidden bots and software that can steal customer data or convert them into nodes that route anonymous traffic or act on the behalf of bad guys, according to new research from Plume.
More specifically, Plume said SuperBox Android streaming devices sold at major U.S. retailers contain dormant software that when activated converts consumers' home internet connections into nodes in a residential proxy network or what’s called a SuperProxy.
How does it work?
Here’s how it works. Rogue streaming apps can quietly turn consumer devices into proxy nodes, routing large volumes of anonymous internet traffic through home broadband connections. That traffic can include sensitive data — from login credentials to verification codes — as well as activity tied to cyberattacks and scraping, all without the user’s awareness.
The report, which is part 1 of 3, noted that Plume’s experts traced a sizable, professionally run proxy network, identifying hundreds of command‑and‑control servers across multiple hosting providers.
As it turns out, flaws in the proxy software itself could expose the home network, allowing external users to potentially access internal services beyond the infected device.
Adding to the bad news, Plume claimed SuperBox's custom app store bypasses all standard Android safety checks. The store installs software silently with full administrative privileges: no security verification, no warnings and no user approval. Its catalog is controlled by the store's operator, not by Google nor the device owner.
In a press release today, Plume said that it’s been “identifying and isolating these proxies for blocking at multiple levels and sharing intelligence with its ISP customers. Monitoring these proxies is extending Plume's detection capabilities to additional threat types including Distributed Denial of Service (DDoS) tools and botnets.”
What should ISPs do to protect their customers?
ISPs don’t have to rely on a single vendor platform to mitigate these risks, but Plume’s report underscores how little visibility they often have into what’s happening behind the broadband modem.
At a minimum, operators can lean on capabilities they already control: network-level traffic analysis to flag unusual outbound patterns, such as devices suddenly acting as proxy nodes; DNS filtering and threat intelligence feeds to block known malicious domains and command-and-control infrastructure; and stricter policies around app store ecosystems tied to ISP-issued hardware.
The rise of managed gateways also gives providers more leverage, allowing them to push firmware updates, segment home networks, and isolate compromised devices before threats spread laterally.
Longer term, ISPs may need to treat the home network as an extension of their security perimeter — combining anomaly detection, customer alerts, and partnerships with device makers to close gaps that increasingly sit outside traditional network boundaries.