April 12, 2019

Image Source: digitalcitizensalliance.org
  • Researchers claim that Mobdro is penetrating Wi-Fi networks and steals data from them.
  • The information is uploaded to a server in Indonesia, although the actors use VPN to hide the actual location.
  • The malware inside Mobdro can get updated, upgraded, and do a series of foul things to the infected device and/or network.

Mobdro is an Android streaming app that many uses as an alternative to the Kodi app but comes with much less credibility. In spite that fact, and due to its pirate-friendly nature and widespread support for devices like Amazon Fire TV Stick, Google Chromecast, and many Android OS versions, Mobdro has grown in popularity, enjoying a significant userbase nowadays. However, a report from “Digital Citizens” puts fuel in the fire of distrust, as Mobdro was found by researchers to be amongst shady applications that push Wi-Fi network credentials, malware stealers.

To put it simply, streaming apps like Mobdro that get access to our home Wi-Fi network are bypassing protective firewalls, so they can do whatever they want. As these apps don’t have a trusty vendor behind them, they are often the products of criminal networks or at least affiliates of them. According to the researcher, a malware piece incorporated within the Mobdro app has immediately forwarded his Wi-Fi network name and password to a server in Indonesia and then continued to upload various types of data collected from the device, reaching a mind-boggling size of 1.5 terabytes. Upon further investigation, the researcher realized that Mobdro had gained access on other devices connected to the same Wi-Fi network, and drew data from them as well.

In addition to this, the Mobdro app showcased capabilities of dynamic updating and even malware upgrading, as the encrypted stream of data that was coming to it contained various commands. These commands could order the app to point to a different update source, pull audio and video from other apps like a legitimate Netflix app, for example, commands to make the infected device take part in a DDoS attack, and various commands that pertained the application’s network invasion functionality. One of the interesting side-findings was a certain level of mandatory ad-pushing from Mobdro, which Digital Citizens believe to be revenue generators for the support of malicious infrastructure.

Cybersecurity firm GroupSense who joined in the study to help Digital Citizens draw safe conclusions believes that this is not necessarily the work or intention of the Mobdro developers, as hackers could have exploited vulnerabilities in the pirating app, infecting its download webpage and replacing the legitimate downloadable with a malicious one. This is just an assumption at this point, and for the end user, it doesn’t even matter. Mobdro was confirmed to be dangerous to the user’s network, and people should refrain from using it.