TL;DR for ISPs
Plume’s Security Lab has identified a popular streaming device that silently enrolls subscriber home networks into a commercial proxy operation. Close to 10,000 of these devices are active within Plume’s user base today. They are invisible to standard monitoring tools, generate enough traffic to destabilise residential networks and expose ISPs to potential liability. Plume is already working on detection and blocking at the network level.
TL;DR for ISPs’ subscribers
ISP subscribers who own a SuperBox device are unknowingly having their home connection used to relay third-party internet traffic. Their IP address becomes associated with activity they have no control over, including potentially harmful or illegal requests. Network slowdowns are a documented side effect. This is a subscriber trust and duty-of-care issue that ISPs need visibility into.
Introduction
This is the first published research from Plume Security Lab. Our researchers combine deep device and application expertise with access to one of the largest residential network datasets in the world, giving them a vantage point that makes threats visible before they become industry-wide problems.
The security of subscribers’ households and ISPs’ networks is one of our most important priorities at Plume. When Plume’s Network Operations Center flagged a group of IoT devices generating abnormal volumes of outbound traffic, the initial question was simple: hardware fault or malicious intent? What followed was a months-long technical investigation that answered that question clearly, and uncovered something far more troubling than a malfunctioning device. Our findings are now published in a research paper. The full document can be found here.
The device in question was a SuperBox, an Android-based media player sold with a headline promise: pay once, get access to thousands of TV channels and the latest movies, no subscription required. At $300 to $500, it is not a bargain purchase. But as our Security Lab discovered, the real cost is paid by the subscriber’s home network.
What we found
SuperBox devices ship with two properties that, in combination, effectively eliminate the device’s security boundary. Android Debug Bridge (ADB) is enabled over TCP on port 5858, accepting connections from any device on the local network with no approval required. The su binary grants root access without authentication. Any device sharing the same network can silently gain full control of the box, with no exploitation required.
There is a custom application store which operates with system-level privileges, meaning every app it installs bypasses Android’s standard protections: no signature verification, no unknown sources warning, no Play Protect scan. The store’s catalog is controlled by its operator, not the user.
One of the apps available through that store, Cyberflix TV, contained an embedded SDK called Popanet. Once Cyberflix TV launched, the app silently registers the device as a node in a commercial residential proxy network. It opens a persistent tunnel to a remote command server, transmits the device’s identity, location, carrier, ASN and network type, then waits for instructions to relay third-party internet traffic indefinitely.
Our telemetry identified tens of thousands of connection requests per device per day, routed to thousands of distinct destinations. Mapping the infrastructure behind Popanet revealed at least 255 verified IP addresses across multiple server clusters.
What this means for subscribers or ISP
If a subscriber owns one of these devices, the home internet connection is being unknowingly utilized by strangers without her/his knowledge and consent. This means someone can be using the subscriber’s IP address to scrape websites, access accounts or bypass security systems. If anything illegal or harmful flows through that connection, it potentially traces back to the subscriber. Also, it can affect the network with slowdowns or instability as a direct result of the proxy traffic volume. For ISPs, the picture is equally concerning: it can cause degradation of the residential networks if multiple Superbox devices communicate at their maximum network throughput at the same time ; with no visible warning sign on any standard monitoring tool.
What Plume does it about
Plume is working hard at identifying and isolating these proxies to ensure they can be blocked on multiple levels (DNS, C2, res proxy traffic)
Plume will also be able to share these relevant insights to its ISPs and work with our clients to mitigate on this problem. By monitoring these proxies Plume is gaining additional insights about the threat landscape and can extend detection capabilities over other threat types (DDoS tools, botnets, etc.)
What flows through the tunnel
To understand how these proxy connections were being used, our researchers re-routed proxied traffic and intercepted it in real time. What they found was not limited to harmless web scraping.
A significant proportion of proxied traffic failed to properly verify SSL certificates, effectively stripping encryption and exposing headers, cookies and login credentials in plaintext. Among the traffic captured: account management requests for EA (Electronic Arts), WhatsApp verification codes, search queries across Google and Bing covering medical topics and personal services, and deliberate attempts to bypass Cloudflare and AWS WAF bot mitigation systems using residential IP addresses to impersonate legitimate home users.
In a real-world attack scenario, a proxy operator with access to intercepted verification codes could execute a real-time account takeover.
The deeper risk
The open ADB port and ungated root access are not simply an entry point for Popanet. They are an entry point for anything. Any other device on the subscriber’s local network can exploit the same access path. And Popanet’s internal network protection contains a bypass: the IP address 0.0.0.0 is not blocked by its filtering logic but is routed by the underlying Linux kernel to localhost, giving a remote proxy operator a path to the device’s own local services, including that open ADB port.
Plume currently has close to 10,000 SuperBox devices within its user base. The outbound traffic generated by proxy activity was, in documented cases, sufficient to destabilise residential networks.
This is Part 1
The part one of this research paper covers the technical investigation: how the infection works, how Popanet operates and what traffic flows through subscriber homes without their knowledge or consent. Part 2 will examine how different types of malware are exploiting the presence of already-deployed proxies on these devices. All indicators of compromise are published on Plume Security Lab’s GitHub.
Subscribers buying a SuperBox believe they are paying for content. What they are also buying, without knowing it, is a permanent seat on someone else’s network.
For more information, visit www.plume.com