Given the scale of the problem and the underlying feeling that anti-piracy campaigns rarely have much of a long term impact, a change of tactics every few years is to be expected.
After demonizing file-sharers for much of the 2000s, more focus was placed on pirate sites and the people behind them. In parallel, pirates were asked to consider the effect of their habits on creators, not the very big ones, but those struggling through life trying to make ends meet, just like them.
There was nothing fundamentally wrong with that message but since Hollywood and most of the music industry thrive on images of extraordinary wealth and power, the message often found itself muffled under red carpets, dazzling awards shows, and other big displays of huge money, also not being shared with the little guys. It was time for another change in tactics.
Think About The Guy in the Mirror
The theme of the last five years has three key components: criminality, malware, and the welfare of pirates. Now portrayed as victims themselves rather than the reason pirate sites exist, pirates are warned about high-level organized crime, using digital content as misdirection, while malware steals their privacy and empties their bank accounts. Piracy also received an upgrade in the corridors of power; it’s a cybercrime issue now.
The narrative is indeed dramatic, but is it credible?
In many cases, this imagery is overblown and completely unhelpful. In other cases the claims are entirely credible, there’s little doubt about that. The caring-is-sharing philosophy has been on life support for years and by default, even the smallest pirate site operators are criminals under the law. In many cases the way they generate revenue is no more harmful to users than the rest of the awful advertising found online, but malware and other mechanisms are also part of the equation.
Based on the theory that scary reports have limited impact and that knowledge always beats fear, perhaps it’s the right time for people to make up their own minds after taking a little look under the hood. That’s not just an opportunity to see how things tick, but also part of a balancing exercise; legality and supporting creators on one side and illegality and potentially deal-breaking risks on the other.
Since Android apps are likely to be installed without even a moment’s thought, especially by younger people, that might be a good place to start. None of the following tools require any apps to be installed.
Free Tools For Basic Checks
While it’s not the most comprehensive tool on the market, CloudSEK’s BeVigil mobile app search engine can be installed on Android devices themselves via Google Play. The BeVigil app will raise the alarm if another app requests excessive permissions, while aiming to improve malware and vulnerability detection in rogue apps.
The BeVigil platform can also be accessed via the web, where users can search for an app by name or upload an app for the platform to test.
For the purposes of illustration we selected a single variant of the movie and TV show streaming app ‘Pikashow‘ at random and discovered three risky device permissions and three more flagged as dangerous.
For absolute beginners the color scheme alone provides guidance; green being broadly acceptable and red the complete opposite. Three reds means three red flags, no matter how many greens.
For the curious, clicking each reported color-coded permission will provide an explanation about what the app could do, if the user grants it permission to do so. For example, the red ‘system alert window’ permission above allows the app to place another window on top of all windows containing any message whatsoever.
Most of the time “Click here to remove malware” means “Click here to install malware” while “Click here to watch movies” means “Click here to install malware.” An alert window may also offer a shiny new update with sincere assurances that everything is always safe to use and despite warnings “click install anyway.” Countless people blindly do just that.
To be clear, not everything that raises an alarm turns out to be malicious but double-checking on another platform never hurts. We asked Immuniweb its opinion on the same app and it received an even worse report.
The overall score calculated for an app to be rated relatively ‘safe’ on BeVigil seemed too high. One BeeTV variant downloaded over a million times received a security rating of 7.4 despite requesting ‘system alert window’ permission and access to information in the user’s phone, including network provider, outgoing call status, and the details of all phone accounts registered to the phone.
The question that needs to be asked here is simple: Why does an app need all of that information just to play a video? The answer is simple too: It doesn’t.
VirusTotal and JoeSandbox
On a base level both VirusTotal and JoeSandbox make it easy for users to upload an APK and have it analyzed. In many cases other users will have uploaded the same file already, meaning that reports are available immediately.
These tools are much more advanced and while still easy to use, interpretation of the presented data becomes increasingly complex as connections are developed. VirusTotal has a gallery of other users’ investigations into all kinds of malware, which on one hand can be truly fascinating yet on the other, absolutely terrifying.
That being said, both have a free tier so are perfect for becoming more familiar with both apps and websites from a perspective most users never experience. Both platforms also allow viewing of detailed reports carried out in the past and one in particular catches the eye.
Advance warning that this report is huge and may well lock up your browser for a while as it loads. The report is a major concern and more time is needed to digest it properly, but it doesn’t look great at first blush.
More generally, the sky isn’t falling just yet but with so many opportunities to get educated via freely available tools, taking unnecessary risks needs to become a thing of the past. The important thing is to raise awareness; informed choices that resonate with the individual always beats blindly following the crowd.
Note: Risk can be managed and reduced but it cannot be eliminated. No single tool is authoritative. Testing on five tools is always better than testing on one. All security vendors reporting an app as clean does not necessarily mean that an app is safe. No app should be trusted by default just because it has a familiar name. Finally, security issues aside, it should be obvious that copyright infringement is against the law.
Other free tools worth checking out:
Any.run – Interactive malware analysis
Hybrid Analysis – Free malware analysis
Qu1cksc0pe – Malware analysis tool (advanced)
MobSF – Malware analysis tool
