Popular pirate streaming app Mobdro has been slammed in a new study carried out by a network security company on behalf of an anti-piracy group. Among other things, it's claimed that the software quietly obtains users' WiFi passwords and seeks to access media and other legitimate apps on users' networks.

In recent years, millions of users around the world have turned to Android-based applications for their piracy fix.

They’re mostly free and easy to install, quickly providing access to the latest movies, TV shows, live sports, and PPV events.

Entertainment industry groups have long insisted that users of these applications are putting themselves at risk of malware and similar issues, but it’s fairly uncommon for them to go into much detail.

That changed today with the publication of a study carried out by the Digital Citizens Alliance in conjunction with network security company Dark Wolfe Consulting. Some of the key findings concern the popular live streaming application known as Mobdro.

The researchers say that after installing the Android application, it forced an update and then forwarded their Wi-Fi name and password to a server that identified as being located in Asia. Mobdro then started to seek access to media content and other legitimate apps on the researchers’ network.

“Researchers observed that the app that sent the user’s wireless name and password up to an external server in Indonesia then began probing the network and talking to any file-sharing services on the Local Area Network. It also ‘port knocked,’ a process to look for other active malware,” they write.

“[A]fter the initial update, the device accepted commands from a threat actor. Those commands may come from the app itself or from the movie streams. With each selection of content, the user opens the door to a new set of commands and malicious payloads from a threat actor to a device in use.”

It’s not explained how the video streams themselves could contain malware. Mobdro is believed to scrape the web for content, much like Kodi add-ons do, and security experts haven’t seen malware in video streams.

However, the researchers state that the “commands in the apps or from the movie streams” were “either encrypted or encoded, making it difficult to analyze for infection.” It’s a vague statement that the study builds on, noting that encrypted commands could perform an update, retrieve malware, take part in a DDoS attack, or obtain files stored on the device or network – such as images, movies or documents.

There’s little doubt that the behavior highlighted above is not something the average person would expect from a video streaming app. However, it should be noted that the Mobdro software actually asks the user to grant permission to their photos, media, files and device location.

Most will blindly grant those permissions instead of declining, of course, and it sounds like the researchers followed that lead.

Furthermore, in view of the researchers’ findings, it’s also worth highlighting the chaotic situation that surrounds Mobdro and many similar apps that facilitate access to illicit streams of movies and TV shows. Crucially, these aren’t allowed on official platforms like Google Play.

So, where it was once pretty obvious where the ‘official’ app could be obtained, there are now a large number of ‘fake’ sites also offering ‘hacked’ variants of the software, any one of which could have experienced tampering. The researchers do not reveal the source of their installation files.

Another point of interest is raised when the researchers note that the software they installed also makes it possible for a “threat actor” to log in to a user’s device and then navigate away from the device to the Internet, effectively posing as the user online.

While this initially seems like a shocking claim, anyone who reads the official app’s EULA before installing the software will see for themselves that Mobdro is pretty upfront about this unpopular ‘feature’. Users of the software that choose not to see adverts find themselves agreeing to become peers on the (in)famous Luminati network, meaning that their bandwidth and IP address can indeed be used by others.

It’s far from ideal (who wants their connections used by others apart from Hola users?) but the site that hosts the software makes this clear, to those who bother to read the small print at least. Which is probably very few people indeed, sadly.

TorrentFreak requested comment from the operators of the official Mobdro client but at the time of publication, we were yet to hear back.

The full report, ‘Fishing in the Piracy Stream: How the Dark Web of Entertainment is Exposing Consumers to Harm’ also contains information previously covered in earlier TorrentFreak articles. It can be found here (pdf)