Mobdro: Malware Allegations Are False and Misleading
Late April the Digital Citizens Alliance, which regularly campaigns against online piracy, published results of a study into ‘pirate’ online streaming apps.
Carried out by network security company Dark Wolfe Consulting, the report placed focus on popular Android-based streaming app Mobdro.
The report claimed that Mobdro carries out a number of malicious acts, including the stealing of wifi names and passwords. It also allegedly accessed other media content and legitimate apps on the researchers’ network. According to the study, Mobdro acted in other suspicious ways too, ones not authorized by the user.
Over the past several days, TorrentFreak put every single allegation to the developers behind the official Mobdro software who were happy to answer our questions. In short, they either completely dispute or give explanations for every claim made against them.
TF: Does Mobdro attempt to steal users’ wifi names and passwords?
Mobdro: It’s impossible that our app reads wifi passwords because first of all, it is impossible for an Android app to read wifi passwords or any sensitive system data without the device being rooted. So the user would have to root his device first, so that statement is completely ridiculous.
Basically, no Android application can read files outside of its working directory. In the case of wifi passwords, they are stored in the /data directory of the Android device. This folder is not readable unless you have a rooted [device], because it’s a protected system directory.
TF: To be clear, does Mobdro attempt to get a wifi password from a rooted device?
Mobdro: No, the app does no attempt to get wifi passwords on any device. Rooted or non-rooted, the app does not try to get any wifi password. It can be shown via a simple test. Get a rooted device and if Mobdro tries to read protected data, then the rooted device would prompt you to allow or disallow Mobdro root access. As simple as that.
But the burden of proving something does not rely on us, it relies on [the researchers]. They should prove that the app does what they accuse us of doing.
TF: The researchers’ next big claim is that Mobdro tried to access media content and other legitimate apps on the researchers’ network. Is that true?
Mobdro: The only permission required in the app is to access external storage [TF note: An earlier permission to access location is no longer required]. [The external storage] permission is used to save updates in the external storage of the device because Android only allows installations of APKs when they are located in external storage (for off-store apps like Mobdro).
Also, this permission is used to download/cast streams when the user chooses to do that. Unfortunately, Google gives the read external storage permission a name that leads to confusion, like the app could access your files and modify them etc. But the folder [Mobdro] accesses is a folder located under /sdcard/Mobdro where it downloads APK updates, streams or files necessary for casting.
TF: The researchers say that Mobdro “port knocks” which they explain as a “process to look for other active malware.” They also said Mobdro accepted commands but admitted that since they were “either encrypted or encoded” it made it “difficult to analyze for infection.” What are they talking about?
Mobdro: To protect against unofficial versions [TF note: Mobdro is often cloned and modified by third-parties] we have some anti-tampering measures. One of them was to detect the presence on the user device of the Frida toolkit.
This is a kit used by ‘crackers’ to remove the SSL certificate we use to [securely] communicate with the servers that host the API. When they break this protection they then release their unofficial versions.
In past versions (prior to 2.1.34) we tried to detect the presence of the Frida toolkit in the user device and one of the methods to try to detect Frida was to try to connect to the port that Frida uses in the device. If a connection was succesful we enabled anti-tampering measures.
In newer versions, we no longer have these anti-tampering measures because we found a way to make it very difficult to break the SSL protection within the app.
TF: The study claims suggests that Mobdro can receive potentially malicious commands “through movie streams”. What’s the official response to that claim?
Mobdro: We don’t know what they are talking about here. Some commands from a movie stream….encrypted…Does not make sense to us to be honest.
When Mobdro gets a video stream, it fires a video player that uses the FFmpeg API and that’s it. The result is the stream being displayed on the phone, tablet or Android TV.
TF: The study says that it’s also possible for a “threat actor” to log in to a user’s device via Mobdro and then navigate away from the device to the Internet, effectively posing as the user online.
In our initial report, we noted that this is probably referencing Mobdro’s use of the Luminati network, as used by the proxy app Hola, something highlighted in Mobdro’s EULA. Anything to add?
Mobdro: We have included a mode called NO ADS mode, in which the user accepts to be a peer in the Luminati Network. The default mode is and will be ADS mode.
If the user does not want to see ads, the user has the possibility to not see them in exchange for their network resources under certain circumstances that are explained before accepting to be a peer. The user has to click and accept the Luminati EULA that is prompted when the user clicks on ‘remove ads’ before enabling the NO ADS mode.
Mobdro final comment: We are busy enough trying to keep the app afloat without doing these crazy things that they accuse us of. But again, they should show the proofs that the app is doing these crazy things.
What they describe maybe could be done if we were founded by a government [agency] like the CIA or the Mossad and we were looking to infect and destroy nuclear centrifuges. [END]
Whether the researchers will provide more information to back up their claims remains to be seen. If the source material that led them to publish the claims against Mobdro (and indeed other applications) was made publicly available, it would certainly help to clear up the confusion and ambiguity.
It would also allow anti-virus and anti-malware companies to do their own analysis and publish their findings too. Currently, we are not aware that Mobdro triggers malware warnings with leading vendors, which either means it doesn’t contain malware, or these products are missing something serious.
At this point, it’s down to simple faith as to who one believes.