Industry insights: The threat of malware continues to affect the industry with research showing that popular Android TV boxes ship pre-infected with malware payloads, while new European rules may affect streaming quotas, and Facebook owner Meta faces a record GDPR fine.
Popular Android TV boxes are laced with malware
We’ve written several times about the problems of malware and the way that it infects many of the Illicit Streaming Devices (ISDs) and websites associated with ongoing video piracy. Indeed, it’s been estimated that up to 90% of websites associated with illicit streaming can be classified as risky to the end-user from a cybersecurity point of view, while researchers in the UK now found over half of all IPTV apps on Android contained malware.
These stats make powerful arguments when it comes to educating users about the dangers of video piracy, but what is astonishing is the extent to which malware is making inroads into legitimate products.
Two extremely popular Android TV boxes available widely on Amazon and other retailers have been found to be pre-loaded with malware capable of launching coordinated cyber attacks.
“Last year, [researcher] Daniel Milisic bought an AllWinner T95 set-top box and discovered the chip’s firmware was infected with malware,” writes TechCrunch. “Milisic found that the Android-powered set-top box was communicating with command-and-control servers and awaiting instructions on what to do next. His ongoing investigation, which he published on GitHub, found that his T95 model was out-of-the-box connecting to a larger botnet of thousands of other malware-infected Android TV boxes in homes and offices across the globe.”
The default payload is a clickbot, a code that generates ad money by secretly tapping on ads in the background. But the malware has been designed so that its authors can push out any payload they want to.
Milisic asked the internet company hosting the servers that passed out instructions to the wider botnet to pull them offline, and, as a result, the servers hosting the initial payload disappeared a short time after. However, that means the botnet could come back at any time with new infrastructure, and he also points out that there is no easy way for anyone with average computer skills to remove the malware.
“I think the only way to mitigate this problem is to hold retailers to a higher standard,” Milisic said. “"Why is it okay to let small, unknown vendors sell computers acting maliciously without owners’ knowledge and permission?”
Brexit means that streamers could miss European content quota
In 2018, the European Commission introduced a quota on global streaming services operating in its member countries, insisting that at least 30% of their catalogues had to consist of content produced in Europe
It took close to five years to actually hit that target, but now Netflix exceeds that 30% benchmark across Europe, Amazon manages it in six countries, while Disney fails to everywhere (at around 10% across the continent). The consequences to date have been few; regulation is up to member countries and such penalties as there are, have been involved paying a fund for localised production. However, that all could become much more serious if the European Commission decides to reclassify content produced in the UK as non-European.
The problem is, of course, Brexit. A heavy proportion of that 30% local content quota is made up of productions from the large UK content industry. But, following Brexit and the UK’s painful leaving of the European Union, the European Commission is reportedly looking at its ongoing status as a European content producer.
If UK content is reclassified, the numbers change significantly. Netflix’s share of European content would fall from 28% in Germany, down to 21% in Ireland; Amazon, would only have Germany and Italy remaining above the threshold; Disney+ would be down to an average 4% across Europe; and HBO Max, which meets the current quota in the Czech Republic and Slovakia, would fall short everywhere.
The upshot is that streamers would have to take action. They could invest in original content, buy more localised content, or drop non-European content from their catalogues to balance the books. This would be the cheapest option but could very much alienate the end user base; Ampere estimating that Netflix would need to reduce its total catalogue in Ireland by almost a third to meet a UK-excluded quota, for example.
What the European Commission does next will therefore be watched closely on both sides of the Atlantic.
Facebook owner Meta fined €1.2bn for mishandling user information
Critics of the European Commission’s GDPR who say that is has been largely toothless so far were given cause to reassess their opinions after Ireland’s Data Protection Commission (DPC), which regulates Facebook-owner Meta’s business across the EU, slapped it with a €1.2bn fine for breaching the regulations, and ordered it to suspend the transfer of user data from the EU to the US within five months.
While perhaps a drop in the ocean compared to the huge profits Meta still manages to make despite a slump in digital advertising and its ongoing and expensive bet on the Metaverse, it remains a significant amount of money.
Meta has also been given six months to stop “the unlawful processing, including storage, in the US” of personal EU data already transferred across the Atlantic, meaning that user data will need to be removed from Facebook servers.
The way it all came to light is complex but, according to the Guardian, originates in a legal challenge brought by an Austrian privacy campaigner, Max Schrems. This was over concerns resulting from the Edward Snowden revelations that European users’ data is not sufficiently protected from US intelligence agencies when it is transferred across the Atlantic.’
Currently, Meta’s systems are structured so that all data collected on its social media platforms has to be sent to the US ‘as is’ with no additional safeguards in place. A new framework that satisfies companies and governments on both sides of the Atlantic has been agreed in principle, but the mechanics of its implementation have yet to be ironed out.
Meta says it is being singled out unfairly and that many other companies do the same thing. It also engaged in a bit of aggressive positioning earlier this year saying that unless these issues were ironed out it would “likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe.”
It is, of course, highly unlikely to leave such a significant and lucrative market, but the whole affair serves as a warning to companies of any size, including ones, of course, in our industry, that handling international data transfers needs to be done very carefully.
