{"id":25779,"date":"2026-05-20T19:41:55","date_gmt":"2026-05-20T15:41:55","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=25779"},"modified":"2026-05-20T19:41:55","modified_gmt":"2026-05-20T15:41:55","slug":"android-tv-botnet","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/android-tv-botnet\/25779\/","title":{"rendered":"Is your TV box renting out your network?"},"content":{"rendered":"<p>Netflix, Apple TV+, Disney+, Hulu, Amazon Prime, YouTube Premium\u2026 The average law-abiding family today <a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-manage-subscriptions-safely\/55776\/\" target=\"_blank\" rel=\"noopener nofollow\">pays for five to 10 subscriptions<\/a> just to watch their shows of choice, with the monthly bill easily crossing the hundred-dollar mark. It\u2019s no surprise, then, that social media and online marketplaces are seeing a surge in demand for the \u201cmagic boxes\u201d that popped up at the end of 2025: Android-powered TV boxes that promise to unlock thousands of channels and every streaming service subscription-free for a one-time purchase.<\/p>\n<p>Ads for these devices are flooding TikTok and Instagram: smiling influencers unbox the SuperBoxes, plug them into a TV, and browse endlessly through channels. It looks like the ultimate life hack against subscription fatigue, right? In reality, it\u2019s one of the easiest ways to invite a botnet into your home network.<\/p>\n<div id=\"attachment_55800\" style=\"width: 2653px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2026\/05\/20193656\/android-tv-botnet-01.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-55800\" class=\"wp-image-55800 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2026\/05\/20193656\/android-tv-botnet-01.jpg\" alt=\"Screenshot of a TikTok video showing a SuperBox in action\" width=\"2643\" height=\"1968\"><\/a><p id=\"caption-attachment-55800\" class=\"wp-caption-text\">A promotional video on TikTok explaining how great it is when <s>the cheese is free<\/s> you can just go ahead and cancel all your subscriptions<\/p><\/div>\n<h2>What\u2019s wrong with these cheap TV boxes?<\/h2>\n<p>Stories about malicious TV boxes have surfaced before, but right now, their marketing has reached a truly alarming scale.<\/p>\n<p>At the end of 2025, analysts <a href=\"https:\/\/www.foxnews.com\/tech\/why-your-android-tv-box-may-secretly-part-botnet\" target=\"_blank\" rel=\"noopener nofollow\">examined<\/a> several models of the popular SuperBox device available from major retail stores and online marketplaces. The findings were deeply concerning: immediately upon powering up, the devices began pinging the servers of the Chinese messaging app Tencent QQ, as well as the Grass proxy service \u2014 effectively renting out the owner\u2019s internet bandwidth to third parties.<\/p>\n<p>Inside the firmware, researchers discovered applications completely uncharacteristic of a media player: a network scanner, a traffic analyzer, and tools for DNS hijacking. Consequently, the device not only streams pirated content but also scans the local network for other targets (including industrial SCADA interfaces), and stands ready to participate in DDoS attacks. The SuperBoxes were also found to contain folders with the telltale name \u201csecondstage\u201d, a textbook indication of multi-stage malware.<\/p>\n<p>More recently, in April 2026, the Darknet Diaries podcast featured an <a href=\"https:\/\/darknetdiaries.com\/episode\/172\/\" target=\"_blank\" rel=\"noopener nofollow\">interview<\/a> with a security researcher known by the alias D3ada55, who shared plenty of intriguing details about these boxes \u2014 including the fact that they were still openly sold on major platforms like Amazon, Walmart, and Best Buy.<\/p>\n<h2>The infection chronicles: BADBOX to Keenadu<\/h2>\n<p>The SuperBox case is far from the only instance where Android devices have been turned into botnet nodes \u2014 or sold infected right out of the box. Here\u2019s a look at the most recent cases:<\/p>\n<ul>\n<li><strong>BADBOX 2.0.<\/strong> In July 2025, Google filed a lawsuit against the operators of a botnet that compromised over 10 million Android devices \u2014 mostly cheap TV boxes, tablets, and projectors lacking Google Play Protect certification. As we <a href=\"https:\/\/www.kaspersky.com\/blog\/growing-2026-android-threats-and-protection\/55191\/\" target=\"_blank\" rel=\"noopener nofollow\">reported earlier<\/a>, BADBOX 2.0 specifically targets TV boxes, operating simultaneously as a proxy network and an ad fraud engine.<\/li>\n<li><strong>Kimwolf<\/strong>. In December 2025, the QiAnXin XLab team <a href=\"https:\/\/blog.xlab.qianxin.com\/kimwolf-botnet-en\/\" target=\"_blank\" rel=\"noopener nofollow\">uncovered<\/a> a DDoS botnet that had hijacked around 1.8 million Android devices. The infected hardware included generic models from off-brand manufacturers sporting high-profile names like TV BOX, SuperBox, XBOX, SmartTV, and others. The infection footprint was massive, with compromised devices shipped worldwide. Among the hardest-hit countries were Brazil, India, the U.S., Argentina, South Africa, the Philippines, and Mexico.<\/li>\n<li><strong>Keenadu<\/strong>. Our experts discovered this malware lurking in the firmware of brand-new devices back November 2025, though it didn\u2019t gain widespread attention until after <a href=\"https:\/\/securelist.com\/keenadu-android-backdoor\/118913\/\" target=\"_blank\" rel=\"noopener\">we published a study about it in February 2026<\/a>. Keenadu masquerades as legitimate system components, embedding itself even into facial-recognition unlock apps, potentially granting attackers access to biometrics, banking data, and personal messages.<\/li>\n<\/ul>\n<p>All of these stories share the same origin: the Triada Trojan, <a href=\"https:\/\/www.kaspersky.com\/blog\/triada-trojan\/11481\/\" target=\"_blank\" rel=\"noopener nofollow\">first documented<\/a> by our researchers back in 2016 and dubbed at the time \u201cone of the most advanced mobile Trojans\u201d. Over the past decade it has <a href=\"https:\/\/www.wired.com\/story\/android-tv-streaming-boxes-china-backdoor\/\" target=\"_blank\" rel=\"noopener nofollow\">evolved<\/a> from a standard piece of malware into a modular backdoor <a href=\"https:\/\/www.kaspersky.com\/blog\/trojan-in-fake-smartphones\/53331\/\" target=\"_blank\" rel=\"noopener nofollow\">baked<\/a> directly into firmware during manufacturing.<\/p>\n<h2>How the infection scheme works<\/h2>\n<p>Manufacturers of cheap TV boxes cut corners on absolutely everything: Google Play Protect certification, firmware audits, and security updates. Many of these devices run on the Android Open Source Project <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2025\/03\/android-botnet-badbox-largely-disrupted\" target=\"_blank\" rel=\"noopener nofollow\">without any security guarantees whatsoever<\/a>. Somewhere along the supply chain \u2014 whether at the factory, through a middleman, or at a distributor \u2014 a backdoor gets injected into the firmware image. Our experts suspect that the manufacturer itself might not even be aware of the compromise.<\/p>\n<p>The sheer scale of the infection turns millions of identical boxes into the perfect foundation for a botnet: every compromised device represents a unique IP address that can be rented out to anyone. Botnet operators like Kimwolf monetize this not only through distributed DDoS attacks but also by reselling the bandwidth of infected smart TVs and streaming boxes.<\/p>\n<h2>What this means for you<\/h2>\n<p>An infected TV box sits right in your living room, connected to your home Wi-Fi. That means it can see smartphones running banking apps, network-attached storage (NAS) units holding family archives, IP cameras, smart locks, work laptops, and any other the devices connected to your Wi-Fi network.<\/p>\n<p>With this kind of beachhead inside your home network, an attacker can intercept unencrypted traffic, spoof DNS requests, scan ports, and hunt for vulnerabilities on neighboring devices. On top of that, they can use your IP address for fraudulent activity. As a result, in the best-case scenario, your IP will end up blacklisted, and legitimate services will start blocking you for suspicious activity; in the worst-case scenario, law enforcement could come knocking on your door.<\/p>\n<h2>How to spot a potentially dangerous gadget<\/h2>\n<p>You should be on alert if a device:<\/p>\n<ul>\n<li>Is sold under a no-name brand like T95, X96Q, MX10, TV BOX, SuperBox, or some such<\/li>\n<li>Promises free lifetime access to paid premium services for a one-time fee<\/li>\n<li>Requires you to disable Google Play Protect, or install third-party APK files during the initial setup<\/li>\n<li>Lacks Play Protect certification entirely<\/li>\n<li>Is promoted through aggressive spam campaigns on social media<\/li>\n<\/ul>\n<h2>How to avoid hosting a botnet node<\/h2>\n<ul>\n<li>Buy certified TV boxes that feature <a href=\"https:\/\/www.android.com\/certified\/partners\/\" target=\"_blank\" rel=\"noopener nofollow\">Google Play Protect<\/a>, or purchase devices directly from reputable telecom operators and internet service providers.<\/li>\n<li>Isolate all smart home devices. Set up a separate Wi-Fi network on your home router for TV boxes, cameras, smart speakers, robot vacuums, and similar gear, while keeping smartphones, NAS units, and computers on the main network. This prevents malware from spreading to your critical gadgets.<\/li>\n<li>Regularly update the firmware on all your devices, and don\u2019t forget about your router \u2014 it\u2019s another vulnerable link in the chain.<\/li>\n<li>Remove any applications from your Android TV box that you didn\u2019t install yourself, especially alternative app stores, Wi-Fi \u201cboosters\u201d, and \u201csystem cleaners\u201d.<\/li>\n<li>Monitor your traffic. Modern routers and <a href=\"https:\/\/me-en.kaspersky.com\/premium?icid=me-en_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener\">Kaspersky Premium<\/a>\u00a0can display which devices are connecting to where. Frequent connections from a media player to servers in China are a major security red flag.<\/li>\n<li>Install <a href=\"https:\/\/me-en.kaspersky.com\/premium?icid=me-en_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener\">Kaspersky Premium<\/a>on all your devices \u2014 it protects against Trojans, and blocks the phishing pages often used to distribute infected APK files.<\/li>\n<li>Don\u2019t disable Google Play Protect, and avoid installing APKs from shady sources \u2014 this is the primary infection vector that bypasses the official app store.<\/li>\n<li>If in doubt, return the TV box. A cheap streaming device isn\u2019t worth risking your biometrics, banking data, or the reputation of your IP address.<\/li>\n<\/ul>\n<blockquote><p>Want to know how else to protect your smart home devices? Read more in our related posts:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/smart-speaker-tv-smartphone-eavesdropping\/50236\/\" target=\"_blank\" rel=\"noopener nofollow\">Are your TV, smartphone, and smart speakers eavesdropping on you?<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/save-your-home-router-from-apt-residential-proxy\/53840\/\" target=\"_blank\" rel=\"noopener nofollow\">Is your router secretly working for foreign intelligence?<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/vulnerability-in-smart-home-control-app\/53471\/\" target=\"_blank\" rel=\"noopener nofollow\">Vulnerability in the Rubetek Home smart-home app<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/smart-home-zigbee-thread-matter-advice\/47343\/\" target=\"_blank\" rel=\"noopener nofollow\">Best smart home standards and how to implement them<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-secure-smart-home\/47472\/\" target=\"_blank\" rel=\"noopener nofollow\">How to secure your smart home<\/a><\/li>\n<\/ul>\n<\/blockquote>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-generic\">\n","protected":false},"excerpt":{"rendered":"<p>Are you sure your Android TV box is secure? Cutting corners on streaming subscriptions could turn your device into part of a botnet, leave your IP addresses up for rent, and trigger other serious headaches.<\/p>\n","protected":false},"author":2775,"featured_media":25782,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1486],"tags":[105,205,1032,2719,22,628,2804,97,630,486,521,2441,692],"class_list":{"0":"post-25779","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-android","9":"tag-botnets","10":"tag-ddos","11":"tag-fakes","12":"tag-google","13":"tag-internet-of-things","14":"tag-kaspersky-for-android","15":"tag-security-2","16":"tag-smart-home","17":"tag-smart-tv","18":"tag-threats","19":"tag-triada","20":"tag-trojans"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/android-tv-botnet\/25779\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/android-tv-botnet\/30731\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/android-tv-botnet\/30578\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/android-tv-botnet\/41888\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/android-tv-botnet\/55799\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/android-tv-botnet\/30672\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/android-tv-botnet\/36237\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/android-tv-botnet\/36130\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/android\/","name":"Android"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/25779","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2775"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=25779"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/25779\/revisions"}],"predecessor-version":[{"id":25784,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/25779\/revisions\/25784"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/25782"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=25779"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=25779"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=25779"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}