New research from Plume Security Labs, the threat intelligence division of subscriber experience platform provider Plume Design, exposes the architecture of a residential proxy network embedded inside SuperBox Android streaming devices sold through major U.S. retailers including Amazon and specialty electronics stores. The investigation, spanning multiple device models and months of telemetry analysis across tens of thousands of households, details how dormant proxy software activates after installation and begins routing traffic volumes sufficient to destabilize home networks. The findings represent the first public reverse-engineering of the Popanet proxy system and reveal a professionally constructed command-and-control infrastructure operating across more than 250 verified server addresses.

What Happens When a Streaming Device Becomes a Proxy Node Without User Knowledge

When a subscriber installs the Cyberflix TV application (distributed through SuperBox’s custom app store), the app silently downloads and activates Popanet, a residential proxy client that registers the device with a remote command server. From that point forward, the device accepts inbound proxy requests from paying customers of the proxy service, routing their traffic through the subscriber’s broadband connection and out to the internet as if the requests originated from that household.

The traffic volume is substantial. Plume’s telemetry recorded tens of thousands of outbound connections per device per day, reaching thousands of distinct destination addresses. In practice, that means a single compromised streaming device can generate more external connections in 24 hours than all other devices in a typical household combined. For ISPs operating capacity-managed networks or subscribers on metered broadband plans, that traffic represents resource consumption the customer did not authorize and may be billed for.

The content of the proxied traffic raises distinct concerns. Plume researchers intercepted actual data flows passing through the proxy network and identified sensitive authentication credentials, including login tokens for gaming platforms and messaging application verification codes that could be used to complete account takeover sequences in real time. They also observed deliberate attempts to defeat enterprise security systems: automated tools probing corporate web applications from residential IP addresses to evade security controls that block known datacenter ranges, and large-scale scraping operations harvesting data from sites that rate-limit or ban requests from commercial proxies.

“The average connected home is becoming increasingly complex, more like a corporate network, and threats like this one illustrate the need for significantly enhanced levels of intelligence and security,” said Chris Griffiths, Chief Technology Officer at Plume. “ISPs are better situated than ever to be on the forefront of detecting and resolving these issues. By leveraging AI and large-scale network orchestration across hundreds of millions of devices, we can help ISPs spot anomalies that individual households or traditional security tools often miss, and act on them before they spread.”

The operational risk extends beyond bandwidth theft. The proxy software attempts to implement network segmentation to prevent remote users from accessing the subscriber’s local devices, but the Plume investigation identified a bypass flaw confirmed through live testing. Remote proxy users can exploit this vulnerability to reach the streaming device’s own internal services and potentially extend access to other devices on the home network. A residential proxy node, intended to relay external traffic, becomes a potential pivot point into the subscriber’s LAN.

The Technical Architecture That Enables Silent Proxy Deployment

The mechanism that allows this proxy infrastructure to deploy without user awareness or consent is SuperBox’s custom Android application store. Unlike the Google Play Store, which requires developer verification, performs automated security scanning, and presents permission requests to users before installation, the SuperBox store operates with full administrative privileges and installs applications silently. No security verification occurs. No warnings are displayed. No user approval is required.

This architecture bypasses the entire Android application sandbox model. Standard Android installations require explicit user consent for applications that request network access, storage permissions, or background execution. The SuperBox store holds system-level privileges that override these protections, meaning any application added to the store’s catalog (controlled by the store operator, not by Google or the device owner) can be installed with arbitrary permissions and begin execution without the subscriber’s knowledge.

The Popanet proxy client itself is embedded inside the Cyberflix TV application, which subscribers install intentionally for media streaming. The proxy component activates after installation and begins communicating with command-and-control infrastructure hosted across multiple providers. Plume researchers fully reverse-engineered the command-and-control protocol, the first publicly documented teardown of the Popanet system, and mapped the communication flow between compromised devices and more than 250 verified proxy server addresses distributed across datacenter infrastructure in multiple jurisdictions.

The proxy network is not an isolated incident. The same Popanet residential proxy software has been identified in other consumer media streaming devices and was used in the Vo1d botnet campaign, which compromised Android TV boxes globally. “These devices ship with remote access and full administrative control, wide open and require no password, no authentication, no user approval,” said Griffiths. That observation points to a broader supply chain problem: consumer electronics manufacturers are shipping devices with architectural decisions (unrestricted remote access, privilege-escalated app stores, pre-installed software with hidden functionality) that create systemic security exposure across the streaming device ecosystem.

How ISP-Scale Telemetry Detects Threats That Endpoint Tools Cannot See

The proxy network inside SuperBox devices was discovered not by endpoint antivirus software or user reports, but by anomaly detection across ISP network telemetry. Plume’s platform monitors more than 500 million connected devices across 40 million households globally, providing visibility into traffic patterns at a scale that individual security tools operating on single devices cannot achieve. When an unusually high number of streaming devices across multiple ISP networks began generating outbound connection volumes sufficient to destabilize residential broadband performance, Plume’s Network Operations Center flagged the pattern for investigation.

That detection model reflects a structural advantage ISPs hold in identifying residential proxy networks and IoT-based threats. A single household cannot determine whether its streaming device is generating 50,000 outbound connections per day because consumer routers do not expose per-device connection logs in a usable format. Endpoint security software running on laptops and phones does not monitor the network behavior of IoT devices on the same LAN. But ISP infrastructure sits at the aggregation point where all household traffic converges, and platforms that correlate behavior across millions of subscribers can identify anomalies that would be invisible to any single household or endpoint agent.

“The SuperProxy investigation is a wake-up call,” said Eric Svenson, Vice President of Technology Engineering and Operations at Armstrong, a multi-state broadband operator based in Pennsylvania. “Consumer devices are being weaponized inside our subscribers’ homes, and as their ISP, we have both the responsibility and the vantage point to do something about it.” That statement captures the operational shift occurring in ISP security posture: the recognition that subscriber protection now requires active threat detection and remediation at the network layer, not just connectivity and bandwidth delivery.

Plume’s response to the SuperBox proxy network includes identification and isolation of compromised devices, blocking communication with known command-and-control infrastructure, and sharing threat intelligence with ISP customers to enable coordinated mitigation. The detection methodology developed for residential proxies is being extended to identify other IoT-based threats, including distributed denial-of-service (DDoS) malware and botnet agents that exhibit similar traffic patterns.

Where This Fits in the Residential Proxy and IoT Threat Landscape

Residential proxy networks are not new, but the deployment model identified in the SuperBox investigation represents a distinct category. Legitimate residential proxy services like Honeygain, PacketStream, and Pawns.app operate on an opt-in basis: users install software knowingly, consent to share bandwidth in exchange for payment, and can uninstall the client at any time. These services are used by researchers, brand protection firms, and ad verification companies that require residential IP addresses to validate how content appears to end users in specific geographies.

The SuperBox proxy network operates without informed consent. Subscribers who purchase the device for media streaming do not receive disclosure that their internet connection will be used to relay third-party traffic, do not receive compensation for the bandwidth consumed, and in most cases do not possess the technical visibility to discover that the proxy is running. From a regulatory and consumer protection perspective, that distinction is significant. Unauthorized use of a subscriber’s internet connection for commercial purposes implicates FTC Act Section 5 prohibitions on unfair and deceptive practices and may violate state-level computer fraud and unauthorized access statutes.

The IoT supply chain threat dimension aligns with broader patterns documented in Mirai, Emotet, and more recently the Vo1d botnet, all of which exploited insecure consumer devices to build large-scale attack infrastructure. What distinguishes the SuperBox case is that the proxy functionality is not the result of a post-sale compromise; it is embedded in the device’s software supply chain before retail sale. The threat is not an external attacker exploiting a vulnerability. It is the device manufacturer (or a software provider in the supply chain) intentionally including code that monetizes the subscriber’s network resources without disclosure.

Other IoT security research firms, including BitSight, Team Cymru, and RiskIQ (now part of Microsoft), have documented similar supply chain risks in IP cameras, routers, and smart home devices. The common pattern is devices that ship with hardcoded credentials, unpatched vulnerabilities, or undocumented remote access mechanisms that enable post-sale control by parties other than the device owner. The residential proxy model identified in SuperBox extends that pattern into a new monetization vector: rather than simply enabling botnet recruitment, the device actively generates revenue by selling access to the subscriber’s network.

The Budget and Operational Shift This Threat Drives for ISPs

In the light of the SuperBox incident, there is a sense of a budget shift for ISP security operations and protection infrastructures. Typically, ISPs have always treated security as a value-added service provided to subscribers who sign up for them in terms of DNS filtering solutions or antivirus licenses for instance. The residential proxy attack framework changes all that since now, ISPs will be under pressure to address their operational risks (in terms of maintaining network stability, dealing with complaints, and legal issues with law enforcement agencies) associated with malicious activity emanating from infected devices on the subscriber side.

ISP security services are moving from optional upsells to baseline infrastructure requirements. Platforms that provide device-level telemetry, anomaly detection, and automated threat response (offered by vendors including Plume, Cujo AI, and ESET Home Security for ISPs) are being evaluated as core network management tools rather than subscriber-facing products. The business case is no longer “can we monetize this as a premium service?” but rather “what is the operational cost of not having visibility into what devices are doing on our network?”

On a regulatory and liability standpoint, ISPs that can prove that they actively monitor and mitigate compromise to subscriber devices would be in a strong position to counter safe harbor claims against them under DMCA Section 512, which protects ISPs from liability if they did not have actual knowledge of infringing activity taking place and took steps to remedy such activities once they were made aware of them. Where the ISPs’ network was used to commit identity thefts, account takeovers, or even bypassing corporate security systems through residential proxies, constructive notice would become a relevant consideration in both civil and regulatory cases.

Internet Service Providers With the Most Immediate Exposure

The organizations facing the shortest remediation window are ISPs that serve subscriber bases where SuperBox devices are already deployed at scale. For these providers, the proxy network is not a hypothetical risk; it is active infrastructure consuming bandwidth, destabilizing network performance, and routing potentially illegal traffic through subscriber connections under their autonomous system numbers (ASNs). The operational priority is identifying which subscribers have these devices, isolating the command-and-control traffic, and either remediating the devices or notifying subscribers to replace them.

Multi-dwelling unit (MDU) operators and student housing providers face compounded risk. These environments frequently operate shared or metered bandwidth infrastructure where a single high-traffic device can degrade performance for an entire building. If a resident installs a SuperBox device that begins generating tens of thousands of proxy connections per day, the impact extends beyond that subscriber’s unit to everyone sharing the same uplink. MDU operators that lack per-unit traffic monitoring cannot easily identify which device is causing the degradation, leading to support costs and subscriber churn.

Broadband providers subject to abuse complaint workflows from hosting providers, enterprise security teams, or law enforcement also face direct operational impact. When proxied traffic from a subscriber’s IP address triggers fraud detection systems, attempts unauthorized access to corporate applications, or participates in credential stuffing attacks, the abuse report is sent to the ISP that owns the IP block. For providers without the telemetry to distinguish between subscriber-initiated traffic and proxy-relayed traffic, every abuse complaint requires manual investigation to determine whether the subscriber is at fault or whether their connection has been hijacked.

The shortest runway belongs to ISPs that have already received abuse complaints or network performance escalations related to streaming devices but have not yet identified the root cause. If your network operations team is seeing unexplained outbound connection spikes from residential subscribers, if your abuse desk is fielding fraud reports tied to IP addresses assigned to customers with no history of malicious activity, or if subscribers are reporting intermittent performance issues that resolve when specific devices are disconnected, the SuperBox proxy network may already be operating inside your infrastructure. The question is not whether to invest in detection capabilities. It is whether you discover the problem through proactive monitoring or through a law enforcement inquiry asking why your network was used to facilitate account takeover operations at scale.