After enjoying years of relative freedom to do whatever they liked with their Amazon Fire TV Sticks, last month users were informed that apps linked to piracy would be blocked, banned, or even deleted moving forward. With alerts now appearing on users’ devices relating to one app in particular, it transpires that bypassing Amazon’s restrictions is really easy, at least for now. The bigger question being asked right now is this: what happens when you do?
Generally speaking, pirates tend to dislike restrictions, because more often than not, restrictions mean either less piracy or less convenient piracy.
News from Amazon last month indicated that apps linked to piracy would start to face new restrictions when sideloaded to Fire TV devices, although exactly how that would manifest itself was still unknown.
The ‘announcement’ was ‘quietly’ delivered via the media and spread quickly. That produced predictable headlines, mostly warning of an Amazon Crackdown / Piracy Ban plus additional drama conjured up from nowhere.
First Apps Flagged By Amazon
While there are reports that more than one app has been flagged by Amazon since then, one stands out for being reported most often, backed up by independent screenshots showing Amazon’s message.
BeeTV is an Android-based app providing access to pirated movies and TV shows. In one form or another, BeeTV apps have been around for years. That’s not because of longevity and continuity as a single app, but because anyone with an app looking for installs can put a BeeTV logo on it and get instantly recognized.
As the image shows, when Fire TV users tried to sideload a BeeTV app, Amazon spotted it too.
While the message is clear, Amazon’s alleged crackdown is accompanied by a convenient one-click circumvention option. This is not exactly as some have advertised, and it may, or may not, be the start of a tapered approach..
For some, that’s still enough to arouse scattered suspicions that ‘Launch Anyway’ could lead to being flagged by the authorities or reported to anti-piracy groups. Theoretical consequences such as these do give some people pause for thought, but overall deterrent value seems limited, as the disguised Reddit thread below suggests.
So does nothing happen, or does nothing appear to happen?
Something Happens: Free Movies & TV Shows plus Bonus Extras
The most popular BeeTV variants appear to be at versions 4.4.4 to 4.4.7, with various MOD versions promising no advertising. We carried out a series of tests on all three versions and can report that many things can happen, but conveniently the user sees nothing.
Our assessment here is based on what an app like this needs to function. For pragmatic reasons, allowances are made for monetization via ads etc. with additional ‘functionality’ viewed case-by-case. Declared permissions that go beyond those needed for a regular app to provide the same services are generally unacceptable by default.
Without granting permission to access the internet, not much will happen, and in the event functionality exists to download a video, denying access to external storage would be an issue too. Let’s assume all permissions are granted, and since many users will also sideload the app onto their cellphones, we will cover some of the main issues across all devices at the same time.
Permissions Permissions Permissions
Here’s just some of what the app can do, beyond what it needs to be able to do. We’ll consider the implications later.
• Location: Even with allowances made for access to localized content, identifying the user’s approximate location is not the same as always being able to identify a user’s location accurate to a few feet.
• External Storage Read/Write: The app has broad access to external storage, including read/write permissions. What people store on their devices tends to vary depending on the individual.
• Bookmarks/Browsing History: Tests indicate the app not only has permission to read bookmarks and browsing history, it can write to them as well.
Other Security Issues of Concern
• SMS/Call Logs: When providing access to a movie or TV show, there’s no reason why the app should obtain the name of the device’s network operator. Being able to query a user’s SMS messages and obtain their content definitely isn’t needed, nor is it acceptable to query a device’s contact list, or access its call logs.
There are also some serious issues on the technical side outside the scope of this article, but one apparent double standard is worth highlighting.
On one hand, the app uses SSL certificate pinning to prevent MITM attacks (eavesdropping) on communications it aims to keep private. On the other, it proactively enables cleartext traffic, which enables eavesdropping (and modification) of transmitted data it presumably wishes to see (and potentially tamper with), without being detected by the user.
What Could Possibly Go Wrong?
Apart from intercepting unencrypted network traffic, potentially including credentials, API keys, and other sensitive information, a potential attacker could track the user’s location in real-time. This could enable anything from stalking to targeted phishing attacks based on known daily routines, augmented by information from contact lists, call logs, and the content of SMS data.
If more data was needed to carry out identity theft, a simulated identity theft warning sent to the user by SMS, claiming to be from the user’s own bank (confirmed by entries in their contact list and SMS), could lead to some people clicking a link to a bogus banking page. They might even be persuaded to hand over the rest of their info.
Of course, savvy users don’t click links in unsolicited messages, it’s too risky. Instead, they visit their own bank with a communication that they themselves initiate; just quickly dig out the bookmark and……
Almost Nothing Happens?
In summary, then, aside from launching at boot and the ability to install additional software, the app can harvest personal information, obtain information on contacts, and the content of their messages on the device. It can intercept communications, manipulate device behavior, and track movements and activities in real-time, while recording locations (home, workplace, gym) and times.
On the plus side, version 4.4.4 does not appear to have the ability to use a device’s camera to photograph anything it likes, at any time, without the user’s knowledge or permission. It’s an oversight that seems to have been ‘corrected’ in 4.4.7.
There are the movies and TV shows to consider, of course, accessed from well over 200 pirate site domains embedded in the app. There’s also the superficially ‘clean’ detection reports on VirusTotal to put any remaining doubts to rest.
A fitness app carrying out 24/7 monitoring wouldn’t be flagged for being malicious, and there’s not much difference in this case either. The app asked for permission, and without considering intent, permission was granted. There’s not much that can be done about that.
Source: 
TorrentFreak.com
Be the first to comment