Filter blogs by:

A case study in how we investigate pirate video apps

How do you investigate a new pirate video app that is eating into your streaming revenues? As VO’s Vincent Hamon, Head of Piracy Assessment, details it is an involved process requiring care and attention to detail.

pirate video appsOne of the questions we are most often asked is how do you deal with a pirate video app that you have never heard about? In a recent presentation at the Video Security Summit, I detailed how we do it at VO’s award-winning Anti-Piracy Center, using the infamous Android app Mobdro as an illustration.

From the time it first became an app of concern at the end of 2018 to the time it was taken down in a joint action involving the EPL and La Liga in February 2021, Mobdro was downloaded up to 100 million times, causing enormous damage as a result. This serves as the base for our detailed app analysis, and acts as a great illustration of the difficultly of combating pirate video apps.

For the full story, you can watch the presentation A Journey into Pirate Apps on-demand. But here it is worth briefly sketching out some of the issues we came across with Mobdro.

Anatomy of a pirate app

Even though it was taken down in February this year and no longer works, over six months later Mobdro is still being downloaded continuously — 22,000 times in the seven days before our presentation took place alone.

So, how do you even begin to combat a menace like that? At VO, we use a three-step strategy: Assess - Monitor - Remediate.

Expertise is critical at all these stages. One of the main challenges in examining pirate apps is that they very much don’t want to be examined. You have to be cautious, you have to be careful; you have to use new devices right out of the box and rotate credentials; you have to follow procedures; you have to assume that the app is malicious.

Mobdro certainly was. First, we established beyond all doubt that it was an illegal app, before then further establishing its credentials as targeting a worldwide user base. We then leaned in to sketch out its overall architecture (which surprised us in making extensive use of P2P communications) before defining an action plan. This is a crucial part of the process. Mobdro made extensive use of DNS and IP in its system architecture, which meant that DNS and IP blocking, as well as takedown requests could be used in the remediation phase.

Monitoring a pirate app

IPs and DNS entries are exchanged within the application. To be efficient you need to monitor the information exchanged within the application and, to be efficient, you need to be able to extract this information in real time. That effectively means you want to replace the application with something you can easily request programmatically, ie an API.

This is possibly the most delicate part of the process, certainly in this case with Mobdro, as what we were seeking to do was replace the app in the network infrastructure on our devices with an API so that we could eavesdrop in on its communications and see exactly the way it functioned.

It is worth remembering that while we have a highly experienced, specialist team, we are also engaging with a highly experienced, specialist team of illegal developers; their code is often cutting-edge and there is no single methodology to combatting it. However, we have some serious talent on our side, and we were able to design bypasses that meant we could eventually replace the app with an API we could use to extract information in real time.

This basically gave us a look under the hood. We could see how it was connecting, what it was connecting to, and see the number of people connecting to a stream in real-time. Using a standard tool like the Wireshark network protocol analyser, we would have seen that the app connects to a single server; by replacing it with our own API we could see that it actually connected to six. This is the sort of information that has definite implications for the success of IP blocking remediations. 

Key takeaways

Mobdro was, at the time, considered to be the world’s largest private streaming app. Others have replaced it since. Our Anti-Piracy Center is constantly busy assessing and investigating new threats, finding out the ways they can be removed, and taking action to prevent their operation.

There are three key takeaways to the Mobdro story that are worth bearing in mind. First, every case is different. Pirate apps are sophisticated code that are built deliberately to be hard to examine and combat, thus they all work in slightly — sometimes very — different ways. 

Second, you need a multi-disciplinary team to work with them. You need reverse engineers to get inside the app, you need forensic investigators to examine their operation, and more. The skillsets required, and the knowledge and expertise necessary to make the most of them, are increasing all the time. 

This is due to the third factor; piracy is constantly evolving. Mobdro illustrates that well by resurrecting an older technology, peer-to-peer networking, with the aim of lowering the required bandwidth, and thus costs, for the pirate service. The next app will try something different; the one after it will try something different again. The result is that constant vigilance and constant investigation and research is needed at all times to keep up with the piracy effort.

Find out more about VO’s Anti-pirate video appsPiracy Centre.

Vincent Hamon

Vincent has a pronounced taste for bits and bytes. After a long history of protecting CAS & DRM solutions, he decided to switch sides and challenge the security of products instead, targeting IoT, cars, in-house, and customer products. Vincent is now Head of Piracy and Security Assessment at Viaccess-Orca where he is in charge of investigating piracy incidents and assessing the effectiveness of company products in dealing with them.