Skip to content
Naked Security Naked Security

Piracy streaming apps are stuffed with malware

Researchers have found that hackers are exploiting vulnerable piracy streaming devices to steal credit card data or rope them into botnets.

Does the offer to “Never pay for cable again” sound tantalizing?

It shouldn’t. It should sound abhorrent, not only because of piracy being illegal and unfair to content creators, but also because researchers have found that pirated streaming devices are stuffed with malware and/or open the door for it to come streaming in.

According to a report published on Thursday, researchers have found that many of the devices are rigged with malware, be it on preinstalled apps or apps added later.

In order to assess the streaming piracy ecosystem, researchers from cybersecurity firm Dark Wolfe Consulting and the Digital Citizens Alliance (DCA) – a consumer-focused group devoted to making the internet safer –  picked up six streaming devices that use the Kodi platform.

Kodi’s a free, open-source media player… one that comes in handy to tweak and add to piracy streaming devices. Of the Kodi devices the researchers checked out, they found that 70% were repurposed or loaded with apps that access unlicensed content.

These devices are bought by people who’d rather not pay for content and who might not be aware of the extreme risks we go through when we plug them into our home or work networks. That’s a lot of people: the researchers noted that as of December, there were about 12 million active users of the app repository “TV Addons,” which runs on Kodi.

The devices are dirt cheap in comparison to a legit Apple TV or Roku streaming device and the subscription prices for shows from the likes of Netflix, Hulu or HBO. The Kodi devices – sometimes called “Kodi boxes” or “jailbroken Fire TV Sticks” – look and act like the bona fide streaming devices. You can pick them up on both underground markets on the Dark Web, or up on the sunny side of the street in places like Facebook Marketplace, Craigslist, or eBay, for a one-time fee of $75 to $100.

That will get you access to what the researchers say is a burgeoning range of pirated content, including the latest movies – even while they’re still in theaters – or live events such as pay-per-view boxing matches or elite soccer games. The report includes a screenshot of one piracy app, Exodus Redux, that was offering movies such as Aquaman a full week before it was released in December.

Into the Spider-Verse, or into a world of e-hurt?

The researchers said that what most users don’t realize is that plugging in one of these devices into their home network is like pulling a Trojan horse in through the front door: the devices enable hackers to bypass the security of the home network’s router firewall, for example. Any apps already on the box or later downloaded can unleash malware, all under the guise of “free” content.

The devices are easy for hackers to exploit for a few reasons: first, they’re hooked into the home network and bypass the router’s security. Second, normal security protections are typically not installed or are disabled to accommodate piracy-streaming apps. On Androids, for example, disabling security features opens a specific port to the internet that botnets routinely scan for. That leaves the devices open for hackers to target and to then infect.

As well, users often have to grant full admin access in order to use the apps, including permission to access the device’s entire memory, along with its location and other security protections. In other words, users hand over the keys to the kingdom.

Home very much not Alone

Over the course of 500 hours of lab testing, the researchers experienced these and other security risks, they said:

  • As soon as a researcher downloaded the ad-supported illicit movie and live sports streaming app Mobdro, malware within the app forwarded the researcher’s Wi-Fi network name and password to a server that appeared to be in Indonesia.
  • Malware probed the researchers’ network, searching for vulnerabilities that would enable it to access files and other devices. The malware uploaded, without permission, 1.5 terabytes of data from the researcher’s device.
  • Mobdro sought access to media content and other legitimate apps on the researcher’s network.
  • In one scheme, crooks posed as well-known streaming sites, such as Netflix, to illegally use an actual, paying Netflix customer’s legitimate subscription.

The cybersecurity firm GroupSense assisted by infiltrating Dark Web chatrooms where they found hackers sussing out how to exploit vulnerabilities inherent in the pirate apps, as well as how to use malware to snare the devices into a botnet to use in cyber attacks or for cryptomining. Other chats were about how to get at information stored on the devices, such as photographs, passwords, and credit cards.

The possibilities for mischief and mayhem are manifold, states the report:

Given that users rarely install anti-virus tools on such devices, the opportunities for exploitation are numerous.

Arrrrr, ouch!

The takeaway: Digital pirates might think that ripped-off media is free, but it’s no bargain at all when you consider these serious risks.

The researchers want to see these steps taken to reduce those security risks:

  • Law enforcement should prioritize the investigation and prosecution of these criminal networks.
  • Consumer protection agencies, both at the federal and state level, should warn consumers about the risks that illicit devices and piracy apps pose to their security and to their home devices.
  • Government agencies and corporations should warn employees of the potential risks of using these devices over their networks, so they don’t become a pathway to gain access to networks or steal sensitive information.
  • Digital marketplaces such as eBay, Craigslist, and Facebook Marketplace should ban the sale of piracy devices.


Clearly the author has a paid agenda….


Could you please elaborate? I’m puzzled – and equally so for the ‘likes/thumbs ups’ of your comment.
IMO this article clearly highlights valid security concerns. Readers that rely on security advice from others would surely appreciate the heads up that is given here, which is nothing less than; security is only a strong as its weakest link – which could translate to “your firewall and other security systems could be useless if you adopt a device that simply bypasses them”


Gosh, it’s almost like piracy is a service problem. If media companies don’t want people pirating stuff, they should provide it affordably and with easy availability.


There’s plenty of free and easily found content out there. If you hate the media companies that badly because they want to you pay to access the superpopular stuff that everyone else wants, why not support indie content makers instead?

I’ve never understood why people moan about how absurdly rich [insertartistnamehere] is while the little artists struggle…

…and then react by going off and stealing the absurdly rich artist’s stuff rather than supporting the little guys who are giving their stuff away for free anyway, but can’t get noticed because everyone is fixated on artists they denigrate signed to companies they claim to hate.

Piracy hurts the little guys, and that’s a simple fact.

Why pay $5 to someone who could do with the money (or even just pay $0 but give them the support they need) when you can pay $0 to someone who’s rich already and justify it to yourself because “they don’t need the money so no one else needs the money either”? Why be inventive or intellectually curious and try something new and free-but-legal when you can just follow the crowd and steal the same thing everyone else has already got?


Your point is good and well made, but doesn’t affect the fact that it is entirely possibly to compete successfully against a free “service” such as Kodi with a paid service.
It’s not easy, but Netflix were (and still are, to an extent) providing a strong, centralised platform people could use with improved feature set and wide access.
Cutting content from Netflix / other “neutral” providers to bring it in-house drives piracy, but more so when your paid service offers nothing piracy fails to offer.
Berating pirates for their choices also achieves little, although I understand the temptation. Engaging with those same people to educate achieves more.

Related, the requirement to join mainstream organisations and those same organisations using their money to bully competition, along with slow public recognition of that, drives consumers at the same time away from being willing to pay for content created by that mainstream, and back to wanting to consume it. Hollywood is particularly a strong example of this in many ways, with a toxic culture slowly being revealed while sitting there trying to claim the moral high ground against it’s own potential customers instead of engaging with them.
A Kodi box linking to sanely priced alternatives with good TOS will crush a pirate-only model at the same price point, even with “customers” who have zero intention of ever paying for anything. Add features and it’ll do that AND drive adoption of the paid services.

Don’t just berate and point to risks, showcase a way forwards that helps the end user.


I wasn’t mentioning risks. I was simply saying that people who steal stuff they don’t need rather than embracing alternatives that are genuinely free… heck, folks, live a little instead of pilfering stereotypes.


Digital Citizens Alliance is *SHOCK* partially funded by the MPAA. This is a marketing piece.


But, they just want complete control over the internet and our everyday lives and our thoughts. You know, to protect us from our morally reprehensible actions. What’s wrong with that?


So, I also am confused. Exactly what are we talking about here? The Kodi programme itself (available even on the Microsoft Store) or the ubiquitous “Android TV box”? Or is it both?
It is something I use on my media server for music or movies ***I own*** and to get acces to freely available “indie” content not readily available.
Should I be worried about unnecessarily opened ports which may allow malicious entry to my network?


It’s specifically the streaming piracy apps, which come preloaded on most Kodi boxes or which often get added later. These researchers specifically looked at cheap boxes made mostly in China. The Kodi media player isn’t itself to blame: it’s the modified versions of it that get tweaked to do illegal streaming of copyrighted material, then get loaded onto these Kodi boxes.

Name brand boxes aren’t the issue, though as I recall, the researchers noted that they could pick up compromised knock-offs of some of them, too.


Kodi itself is fine (and I believe open source so you can check yourself), the issue is applications you can install on Kodi which allow piracy can contain malware and some of these boxes come with these piracy apps pre-installed (which may contain malware). If you are using Kodi out of the box as a media player for your own indie or otherwise legitimately acquired software you should be safe, its only installing addons from alternate sources which can get you in trouble (much like allowing unknown sources in android or downloading random apps of the web on windows)


As a security expert I can say the article and the research used as the source is made up make believe stuff that only uneducated people would believe.


@Spryte: The Kodi APP is perfectly safe. Install it on the device of your choice and you have a highly customizable piece of media center software. I particularly like my old Acer ONE netbook running LibreElec.

The problem comes when you start installing third-party plugins for Kodi, some of which (as the article states) are Malware in disguise. Others are not. You have to be careful that you fully understand the risks of everything you install. And that’s the case for all software, whatever its genre. If you buy one of these Chinese boxes off of eBay, it is likely to have some of this unpleasant stuff pre-installed, and your job of cleaning up the mess will be much harder than if you start with bare metal and add only those plugins you have researched and are sure of.

That should be the take away from this article, not yet another rehash of the two pirate or not to Pirate argument, which nobody is going to convince anybody else about anyway at this point.


Propaganda. Obviously. We watch tv shows for free.. WAH! Get over it and find a new hobby.


No; you don’t watch for free–unless your time is utterly valueless.
Television doesn’t exist to bring entertainment to the consumer.
Television exists to bring consumers to the advertiser.


Kodi isn’t the culprit, the bad actors are what you add (or pay to have added) to it. The same security holes exist no matter what platform you use. Just because someone thoughtlessly or greedily adds “free” content to a machine, would you blame Windows, Android or Linux? Would you blame intel, Arm, AMD or other chip-makers?


1.5tb seems a lot of honey. You want to tell me that these “researchers” scanned a device for malware and connected their machines to the same network? I thought that’s a thing only the Secret Service is allowed to do..


Nothing is free. If you think otherwise, you are a complete moron. Pay a legit media company, or pirate with something like Kodi and get hosed by hackers. Either way, you pay.


I love the piracy argument, you people do realize piracy doesn’t hurt people, you know why? People who pirate were likely not going to buy in the first place.


yet the “Security story” here is about Malicious apps/addins to legit programs used by crooks that are not only “selling” something that doesn’t belong to them, but also stealing from the person that unwittingly installs the malware on their own system, foolishly thinking they got a good deal.
Why you feel the need to justify what every you feel accused of, just doesn’t fit into the story.


Once I was a musician, people loved the music I made for them, but I had to sell my instrument as I couldn’t sell the music others recorded while I played and made it free. So I became a painter, people loved the art, they took photos and made prints and I couldn’t sell them, so I couldn’t buy canvases and had to stop. The farmer next to me grows lots of food and I saw people taking some, so I took some. The farmer went broke and the fields turned weeds. Now I live on welfare and you pay my bills, why did I ever try in the first place, I should have just taken your money.


Who’s still using kodi? This isn’t exactly new that these devices host malware. Besides if your gonna pirate why use kodi at all? It’s not early 2010’s there’s plenty of alternatives that are much safer then this junk.


“It should sound abhorrent, not only because of piracy being illegal and unfair to content creators…”

This is funny on so many levels. Firstly, because clearly someone from the MPAA ghost wrote this line. Secondly, because the massive corporations which are actually mad about this couldn’t care less about “content creators”. They simply believe that they should have a monopoly on all content and all methods of delivery. Hence stupid propaganda piece like this, and others across the internet. Hence lawsuits against grandmothers who dared to access the internet to stream a song, and endless attacks on net neutrality. They want to control everything we see on the internet, and they want to monetize every second of it.

But hey, good on you serious thinkers in the comment section for patting them on the back for this behavior, aiding and abetting the destruction of the internet and our basic freedom to share and access information. Corporations are, after all, the best people.

P.S. This ironically obtuse website keeps logging my comments away into some unseeable void. Wonder if this one will make it.


Proof, or it didn’t happen. Lets see some PCAPs, malicious processes, or any pieces of forensic data from these researchers. The screen cap of VirusTotal just isn’t doing it for me.


Luckily for the guys running malware, your belief in their system isn’t required.
> proof, or it didn’t happen
Maybe your bank will tell you the same after it’s all over.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!