Plume Security Labs Exposes Hidden Proxy Network Inside SuperBox Streaming Devices that Route Potentially Harmful Traffic over Home Networks

Investigation reveals media streaming devices sold at major U.S. retailers silently tunnel third-party internet traffic, including potentially stolen credentials and enterprise security bypass operations through subscribers' home broadband connections

PALO ALTO, Calif., May 28, 2026 /PRNewswire/ -- Plume Design, Inc. ("Plume"), the global subscriber experience platform for more than 450 Internet Service Providers (ISPs) across 58 countries, today released a report that uncovers significant security concerns found in SuperBox Android streaming devices sold at major U.S. retailers, which contain dormant software that when activated converts consumers' home internet connections into nodes in a residential proxy network or SuperProxy. The proxy routes unknown third-party traffic that includes potentially stolen credentials, account takeover materials and enterprise security bypass operations through subscriber households without their knowledge or consent. The report, based on a months-long investigation, is the first in a series from Plume's Security Labs.

"The average connected home is becoming increasingly complex, more like a corporate network, and threats like this one illustrate the need for significantly enhanced levels of intelligence and security," said Chris Griffiths, Chief Technology Officer at Plume. "ISPs are better situated than ever to be on the forefront of detecting and resolving these issues. By leveraging AI and large-scale network orchestration across hundreds of millions of devices, we can help ISPs spot anomalies that individual households or traditional security tools often miss, and act on them before they spread."

Plume manages one of the most comprehensive data sets in the telecommunications industry, monitoring more than 500 million connected devices across 40 million households globally. After an alert from a customer, Plume's Network Operations Center flagged anomalous outbound traffic from an unusually high number of streaming devices across its network. The traffic volume was sufficient to destabilize residential networks, prompting Plume's Security Labs to launch a comprehensive technical investigation into streaming devices, spanning multiple models, across its user base.

"The SuperProxy investigation is a wake-up call," said Eric Svenson, Vice President, Technology Engineering and Operations at Armstrong, (a multi-state operator based in Pennsylvania). "Consumer devices are being weaponized inside our subscribers' homes, and as their ISP, we have both the responsibility and the vantage point to do something about it. Plume's research is the kind of partnership our industry needs more of; work that protects Armstrong customers today and sets a higher standard for what every subscriber should expect from their provider."

"These devices ship with remote access and full administrative control, wide open and require no password, no authentication, no user approval," said Griffiths. "Unfortunately, this isn't limited to a single product. The same residential proxy software was used in other types of consumer media streaming devices and also used in other malicious campaigns such as the Vo1d botnet, which demonstrates this is a broader supply-chain problem across the streaming ecosystem."

Five Key Findings

A streaming app secretly turns the device into a proxy network node. One of the apps available through SuperBox's custom application store, Cyberflix TV, contains hidden proxy software called Popanet that silently registers the device with a remote command server and begins relaying foreign internet traffic through the subscriber's home connection. Plume's telemetry recorded tens of thousands of outbound connections per device per day to thousands of distinct destinations.

Sensitive credentials and security bypass attempts are flowing through subscriber homes. Researchers intercepted the actual traffic being routed through the proxy and found sensitive login credentials for gaming platforms, messaging app verification codes that could be used for real-time account takeovers, deliberate attempts to defeat enterprise security systems and large-scale automated web scraping, all passing through consumer broadband connections without the subscriber's knowledge.

Plume mapped more than 250 proxy server addresses. Researchers fully reverse-engineered Popanet's command-and-control protocol — the first publicly known teardown of this system — and mapped more than 250 verified server addresses across multiple hosting providers, revealing a professionally built proxy operation.

A security flaw in the proxy's own code exposes the home network. The proxy attempts to block access to the subscriber's local network, but contains a bypass that was confirmed through live testing. Remote proxy users can exploit this flaw to reach the device's own internal services, potentially extending the compromise beyond the device to the home network itself.

SuperBox's custom app store bypasses all standard Android safety checks. The store installs software silently with full administrative privileges: no security verification, no warnings and no user approval. Its catalog is controlled by the store's operator, not by Google nor the device owner.

Plume's Approach

Plume is identifying and isolating these proxies for blocking at multiple levels and sharing intelligence with its ISP customers. Monitoring these proxies is extending Plume's detection capabilities to additional threat types including Distributed Denial of Service (DDoS) tools and botnets.

Multi-phased Research

This is Part 1 of a three-part investigative series into SuperBox and the hidden security risks it presents inside subscriber homes. Part 2 will expose the malware ecosystem exploiting subscriber devices, including botnet agents and competing proxy SDKs, and detail how Plume helps ISPs detect and block these threats. Part 3 will examine the content delivery infrastructure behind SuperBox's "latest movies" promise, presenting technical evidence that raises serious questions about the origin of that content.

The full research paper is available at:

plume.com/resources/superproxy-the-unhealthy-marriage-of-superbox-and-residential-proxies

About Plume
Plume established the first managed WiFi platform for ISPs in 2016, enabling the company to scale across the globe and expand into managing the entire subscriber experience, including approximately 500 million connected devices, in 40 million homes, on behalf of 450 ISPs, across 58 countries. By integrating managed WiFi, cybersecurity and customer care, Plume created the first open, hardware-agnostic SaaS Subscriber Experience Platform for ISPs. Powered by an unmatched global dataset and AI optimization, the Plume Platform builds subscriber confidence through improved Wi-Fi experiences, seamless new service implementation and proactive customer care. Plume's open-source framework OpenSync^® is pre-integrated and supported on the leading silicon, CPE and platform SDKs, and supports leading industry standards like RDK-B and prplWave. Discover more about how Plume is empowering ISPs at plume.com.

About Armstrong
For over 80 years, Armstrong has been a leader in telecommunications technology and innovation. Founded in 1946 by Jud L. Sedwick as Armstrong County Line Construction, Armstrong remains a family-owned and operated company deeply committed to the communities it serves.

Armstrong's world-class fiber network spans six states—Pennsylvania, Ohio, Maryland, New York, West Virginia, and Kentucky—delivering advanced infrastructure with a focus on exceptional customer service and satisfaction. The company provides 24/7 local support, transparent pricing, and complimentary technical service to residential and business customers throughout its service area.

For more information on Armstrong's Advanced Fiber Network, please visit ArmstrongOneWire.com/network.

 

Investigation reveals media streaming devices sold at major U.S. retailers silently tunnel third-party internet traffic, including potentially stolen credentials and enterprise security bypass operations through subscribers' home broadband connections

PALO ALTO, Calif., May 28, 2026 /PRNewswire/ -- Plume Design, Inc. ("Plume"), the global subscriber experience platform for more than 450 Internet Service Providers (ISPs) across 58 countries, today released a report that uncovers significant security concerns found in SuperBox Android streaming devices sold at major U.S. retailers, which contain dormant software that when activated converts consumers' home internet connections into nodes in a residential proxy network or SuperProxy. The proxy routes unknown third-party traffic that includes potentially stolen credentials, account takeover materials and enterprise security bypass operations through subscriber households without their knowledge or consent. The report, based on a months-long investigation, is the first in a series from Plume's Security Labs.

"The average connected home is becoming increasingly complex, more like a corporate network, and threats like this one illustrate the need for significantly enhanced levels of intelligence and security," said Chris Griffiths, Chief Technology Officer at Plume. "ISPs are better situated than ever to be on the forefront of detecting and resolving these issues. By leveraging AI and large-scale network orchestration across hundreds of millions of devices, we can help ISPs spot anomalies that individual households or traditional security tools often miss, and act on them before they spread."

Plume manages one of the most comprehensive data sets in the telecommunications industry, monitoring more than 500 million connected devices across 40 million households globally. After an alert from a customer, Plume's Network Operations Center flagged anomalous outbound traffic from an unusually high number of streaming devices across its network. The traffic volume was sufficient to destabilize residential networks, prompting Plume's Security Labs to launch a comprehensive technical investigation into streaming devices, spanning multiple models, across its user base.

"The SuperProxy investigation is a wake-up call," said Eric Svenson, Vice President, Technology Engineering and Operations at Armstrong, (a multi-state operator based in Pennsylvania). "Consumer devices are being weaponized inside our subscribers' homes, and as their ISP, we have both the responsibility and the vantage point to do something about it. Plume's research is the kind of partnership our industry needs more of; work that protects Armstrong customers today and sets a higher standard for what every subscriber should expect from their provider."

"These devices ship with remote access and full administrative control, wide open and require no password, no authentication, no user approval," said Griffiths. "Unfortunately, this isn't limited to a single product. The same residential proxy software was used in other types of consumer media streaming devices and also used in other malicious campaigns such as the Vo1d botnet, which demonstrates this is a broader supply-chain problem across the streaming ecosystem."

Five Key Findings

A streaming app secretly turns the device into a proxy network node. One of the apps available through SuperBox's custom application store, Cyberflix TV, contains hidden proxy software called Popanet that silently registers the device with a remote command server and begins relaying foreign internet traffic through the subscriber's home connection. Plume's telemetry recorded tens of thousands of outbound connections per device per day to thousands of distinct destinations.

Sensitive credentials and security bypass attempts are flowing through subscriber homes. Researchers intercepted the actual traffic being routed through the proxy and found sensitive login credentials for gaming platforms, messaging app verification codes that could be used for real-time account takeovers, deliberate attempts to defeat enterprise security systems and large-scale automated web scraping, all passing through consumer broadband connections without the subscriber's knowledge.

Plume mapped more than 250 proxy server addresses. Researchers fully reverse-engineered Popanet's command-and-control protocol — the first publicly known teardown of this system — and mapped more than 250 verified server addresses across multiple hosting providers, revealing a professionally built proxy operation.

A security flaw in the proxy's own code exposes the home network. The proxy attempts to block access to the subscriber's local network, but contains a bypass that was confirmed through live testing. Remote proxy users can exploit this flaw to reach the device's own internal services, potentially extending the compromise beyond the device to the home network itself.

SuperBox's custom app store bypasses all standard Android safety checks. The store installs software silently with full administrative privileges: no security verification, no warnings and no user approval. Its catalog is controlled by the store's operator, not by Google nor the device owner.

Plume's Approach

Plume is identifying and isolating these proxies for blocking at multiple levels and sharing intelligence with its ISP customers. Monitoring these proxies is extending Plume's detection capabilities to additional threat types including Distributed Denial of Service (DDoS) tools and botnets.

Multi-phased Research

This is Part 1 of a three-part investigative series into SuperBox and the hidden security risks it presents inside subscriber homes. Part 2 will expose the malware ecosystem exploiting subscriber devices, including botnet agents and competing proxy SDKs, and detail how Plume helps ISPs detect and block these threats. Part 3 will examine the content delivery infrastructure behind SuperBox's "latest movies" promise, presenting technical evidence that raises serious questions about the origin of that content.

The full research paper is available at:

plume.com/resources/superproxy-the-unhealthy-marriage-of-superbox-and-residential-proxies

About Plume
Plume established the first managed WiFi platform for ISPs in 2016, enabling the company to scale across the globe and expand into managing the entire subscriber experience, including approximately 500 million connected devices, in 40 million homes, on behalf of 450 ISPs, across 58 countries. By integrating managed WiFi, cybersecurity and customer care, Plume created the first open, hardware-agnostic SaaS Subscriber Experience Platform for ISPs. Powered by an unmatched global dataset and AI optimization, the Plume Platform builds subscriber confidence through improved Wi-Fi experiences, seamless new service implementation and proactive customer care. Plume's open-source framework OpenSync^® is pre-integrated and supported on the leading silicon, CPE and platform SDKs, and supports leading industry standards like RDK-B and prplWave. Discover more about how Plume is empowering ISPs at plume.com.

About Armstrong
For over 80 years, Armstrong has been a leader in telecommunications technology and innovation. Founded in 1946 by Jud L. Sedwick as Armstrong County Line Construction, Armstrong remains a family-owned and operated company deeply committed to the communities it serves.

Armstrong's world-class fiber network spans six states—Pennsylvania, Ohio, Maryland, New York, West Virginia, and Kentucky—delivering advanced infrastructure with a focus on exceptional customer service and satisfaction. The company provides 24/7 local support, transparent pricing, and complimentary technical service to residential and business customers throughout its service area.

For more information on Armstrong's Advanced Fiber Network, please visit ArmstrongOneWire.com/network.

 

** This press release is distributed by PR Newswire through automated distribution system, for which the client assumes full responsibility. **

Plume Security Labs Exposes Hidden Proxy Network Inside SuperBox Streaming Devices that Route Potentially Harmful Traffic over Home Networks

CHENGDU, China, May 30, 2026 /PRNewswire/ -- Sichuan Kelun-Biotech Biopharmaceutical Co., Ltd. (the "Company", 6990.HK) announced that at the 2026 American Society of Clinical Oncology (ASCO) Annual Meeting held in Chicago, USA, results from the pivotal Phase II study of the Company's next-generation selective RET inhibitor, lunbotinib fumarate (A400/EP0031, 宁泰莱^®[1]), in advanced rearranged during transfection (RET) fusion-positive non-small cell lung cancer (NSCLC) were presented as an oral report by Professor Qing Zhou from Guangdong Provincial People's Hospital (Abstract #8505, Lung Cancer—Metastatic Non-Small Cell). Based on these results, a New Drug Application (NDA) for lunbotinib fumarate for the treatment of adult patients with locally advanced or metastatic RET fusion-positive NSCLC has been accepted by the National Medical Products Administration (NMPA) of China.

The study enrolled 71 patients who had previously received platinum-based chemotherapy and immunotherapy (pre-treated patients) and 92 patients who had not received prior systemic therapy (treatment-naïve patients). As of the data cutoff date of October 29, 2025, the median follow-up was 22.6 months and 20.7 months, respectively.

The confirmed objective response rate (ORR) assessed by Independent Review Committee (IRC) was 81.3% (95% CI: 71.8–88.7) in treatment-naïve patients and 87.1% (95% CI: 77.0–93.9) in pre-treated patients.

In treatment-naïve patients, median duration of response (mDOR) and median progression-free survival (mPFS) were not reached. In pre-treated patients, mDOR was 25.7 months, and mPFS was 27.5 months.

Among 40 patients with central nervous system (CNS) metastases at baseline (assessed by IRC per response assessment in neuro-oncology brain metastases (RANO-BM) criteria), the intracranial complete response (CR) rate was 30%, and the disease control rate (DCR) was 92.5% (95% CI: 79.6–98.4).

Lunbotinib fumarate was well tolerated, with treatment-related adverse events (TRAEs) being predominantly Grade 1–2. The rate of permanent discontinuation due to TRAEs was 1.2%, and no treatment-related deaths were reported.

The study shows that lunbotinib fumarate demonstrated robust and durable clinical activity in RET fusion-positive NSCLC, regardless of line of therapy, in a largely poor-prognostic patient population. Favorable CNS efficacy was observed in patients with measurable baseline CNS metastases. The safety profile was manageable, with no unexpected safety signals.

Professor Qing Zhou, principal investigator from Guangdong Provincial People's Hospital, said: "From the first presentation of Phase I data at ASCO 2023 to today's pivotal Phase II results, we have witnessed the progression of lunbotinib fumarate from early exploration to a confirmatory study. These data show that lunbotinib fumarate delivers robust and durable responses in both treatment-naïve and pre-treated patients with RET fusion-positive NSCLC, with particularly remarkable intracranial efficacy in patients with CNS metastases at baseline. As a next-generation selective RET inhibitor, it will offer an important new treatment option for patients."

[1] Trade name to be approved by NMPA.