Technologies providing copyright-infringing IPTV content are commonly used as an illegal alternative to legal IPTV subscriptions and services, as they usually have lower monetary costs and can be more convenient for users who follow content from different sources. These infringing IPTV technologies may include websites, software, software add-ons, and physical set-top boxes. Due to the free or low cost of illegal IPTV technologies, illicit IPTV content providers will often resort to intrusive advertising, scams, and the distribution of malware to increase their revenue.
1. Introduction
As many illicit content providers supply copyright-infringing IPTV content for free, they often rely on intrusive advertising, tracking, scams, and malware to make a profit. Illicit content providers also get paid by malware authors to infect their own illicit IPTV websites or software, which are frequently malware families that can generate indirect income with ease, such as cryptocurrency-mining malware
[1][2]. One study found that dozens of illicit IPTV websites contained “download now” adverts, redirecting users to landing pages with instructions for downloading malicious browser extensions
[3]. Another study found that for the Australian population, 99% of advertisements on illicit content-sharing websites were categorised as high risk, with 46% of these advertisements classified as malicious
[4]. Overall, this implies that using copyright-infringing IPTV technologies poses a significant risk to users’ devices, as illicit content providers cannot be trusted and may use malware to increase their revenue.
Internet Protocol Television (IPTV) is a service that provides TV programmes and on-demand video content under the TCP/IP internet protocols
[5]. Most legal IPTV services supply video content as part of a TV licence, one-time purchase, or paid subscription, whereas free alternatives usually incorporate advertisements. While IPTV services each have many different genres of video content, users often need to subscribe to multiple services to view the specific films and TV programmes they want to watch. Due to the limited effort, convenience, and monetary costs of these legal IPTV services, many users instead choose to use copyright-infringing IPTV technologies to view video content illegally. A report by Sandvine estimates that “roughly 6% of all households in North America currently have a Kodi device configured to access unlicensed files and streams”
[6]. This implies that many IPTV users are willing to risk compromising their home network by installing potentially infected software to access unlicensed video content in addition to possible legal action for copyright infringement.
One of the reasons why infringing IPTV users are willing to risk legal action or exposure to malware and scams is that illegal IPTV services are usually either free or have low monetary costs in comparison to legal IPTV services
[7]. Additionally, applications and various software for accessing infringing content can be installed from unofficial software and application stores on physical set-top boxes, which appeals to users due to its ease of use, facilitating a “wide range of illicit content being available in one place, without the need for multiple subscriptions”
[8]. Because of the lower perceived costs, these users are willing to accept the risks of trusting and potentially disclosing credit card or personal information to illicit content providers who cannot be trusted and who could be frauds.
The addition of the malware threat to this criminal environment adds another dimension to criminal activities, creating a poly-criminal environment. This was observed in the technical report on the online investigation of IP crime
[9], which found that in many cases, the financial gain in one criminal activity supports the other, thus creating a vicious many-folded criminal ecosystem. Another importance in illuminating the malware ecosystem behind illegal IPTV is that it will challenge the judicial process behind the illegal IPTV ecosystem by stressing the fact that the severity of crime increases once the malware is added into the mix.
2. Illegal IPTV Technologies
Illegal IPTV technologies consist of physical set-top boxes, websites, or software in the form of standalone applications or illicit add-ons to legal software
[7]. Supplying these technologies for use without paying for the content they transmit is a crime. One study identified trojan, adware, spyware, and backdoor malware from content theft websites
[10], implying that illicit IPTV providers may include malware in their websites and software or advertise malware disguised as a desirable application to increase their profits. Thus, as illicit IPTV providers are already committing a crime, it appears that, in addition, many of these providers elect to distribute malware as part of the delivery to supplement their income. The following sections will define the illegal IPTV technologies used and their risks in addition to outlining relevant malware collection and analysis techniques for these technologies.
Illicit Streaming Devices (ISDs) are physical boxes or USB sticks that connect to a TV to provide free television and film content that you would usually pay to view
[8]. Many physical IPTV boxes, such as Kodi boxes, are legal, but third-party software can be installed to illegally stream IPTV content for free. Conversely, other physical IPTV boxes, often described as “fully loaded” or “jailbroken”, already include software for facilitating illegal IPTV streaming. Because ISD providers are already willing to commit copyright infringement, they are more likely to commit further breaches of law, as it could increase their profits. Therefore, ISD providers cannot be trusted, as they could supply users with ISDs infected with malware.
Overall, ISD providers are unlikely to infect the products they sell with high-impact malware when they are already making a profit from selling ISDs. However, potential users would likely purchase an ISD from a website, which itself could be a scam designed to try and get individuals to disclose their credit card details. Moreover, fake websites that advertise illegal IPTV boxes could also distribute fileless malware when visited by users. Therefore, there are other risks to purchasing and using ISDs, as the providers cannot be trusted and could be attempting to scam people.
Websites for streaming IPTV content illegally are available over the surface web, with examples including PutLocker and FlixTor. IPTV content is usually freely available on these websites, which is attractive to users who are not willing to pay for a streaming service or risk purchasing an ISD. However, as the illicit content provided is often free, IPTV websites are untrustworthy, as they are more likely to rely on trackers, scams, and malware to gain a profitable income.
Illegal IPTV websites have different strategies for providing infringing IPTV content. Many sites host and potentially live-stream IPTV content on their website, although these websites are more likely to be detected by anti-piracy organisations. To reduce the risk of legal action, some websites collect and contain lists of hyperlinks to websites for accessing IPTV content illegally, known as “link aggregators”
[9]. Link aggregators can also be found on legitimate websites, such as GitHub repositories and forum posts.
Once more, using illegal IPTV websites or aggregators is risky, as they cannot be trusted. In comparison to ISDs, IPTV websites are potentially riskier because they receive no income for providing free IPTV content, whereas ISDs are purchased. Hence, IPTV websites rely on intrusive advertising and malware to gain a profit, with adverts often redirecting users to malicious or scam websites when clicked on
[7]. This is known as malvertising (malicious advertising), which distributes malware by injecting online advertisements with malicious code
[11]. Cybersecurity company RiskIQ found that 1 in 3 content theft websites expose visitors to malware, with hackers paying the providers USD 70 million to add malware to their websites
[1]. This implies there is a significant chance of users obtaining infected with high-severity malware, especially if hackers are willing to pay a total of USD 70 million.
Malware can be distributed to users of illegal IPTV websites when users download video files for watching IPTV content, such as MP4 files. When an infected file is opened, the malware will execute on the user’s device, which could be anything from ransomware to a remote access trojan (RAT). Although users may not realise the risks of downloading files from an untrustworthy source, technically proficient users will be aware of the risks and are likely to mitigate the risk of infecting their devices by using an antivirus that scans files or a virtual machine (VM).
However, this is not the only risk of using IPTV websites. Another risk is fileless malware. Fileless malware does not require a user to download a malicious file; rather, it exploits vulnerable applications on a victim’s device to enable the injection of malicious code into its main memory
[12]. Fileless malware is a high risk to users, as it is unlikely to be detected by antivirus signatures and could potentially infect a user as soon as they visit a website
[13].
One study analysed the malicious codes in embedded PDFs. Moreover, malicious codes embedded into the PDF files present a prevalent way of infecting the main memory and using malicious JavaScript codes
[14]. There are several recent data-dependent malicious URL identification and classification studies in the literature based on machine learning, deep learning, or an ensemble of classification algorithms
[15][16][17][18][19][20].
Furthermore, many threat intelligence platforms, such as VirusTotal and AlienVault Open Threat Exchange (OTX), do not recognise these sites as malicious. To illustrate, researchers scanned 1555 illicit IPTV websites and aggregators gained from an IPTV GitHub repository in VirusTotal. Of these websites, only 34 were identified as malicious or had an association with malware for both VirusTotal and AlienVault OTX even though many of these websites contained intrusive advertisements attempting to scam users into downloading potentially unwanted programs (PUPs) that may have been malicious.
Infringing IPTV (Pro v7.0.6) software includes standalone desktop and mobile phone applications in addition to add-ons or plugins for legitimate IPTV software, such as Kodi. Using standalone applications to access IPTV content illegally often requires paid subscriptions. A study found that a business, SET TV, offered infringing IPTV content to over 180,000 users with a USD 20 monthly or USD 200 annual subscription via a standalone software application
[7]. Again, it is less likely that providers will infect IPTV applications with malware if they are already making a profit. In comparison to using websites for IPTV, there is more incentive for IPTV website providers to include malware, as the content provided is usually free. However, downloading and executing an application infected with malware could have a greater impact if users do not have antivirus software installed.
While studies suggest that standalone infringing IPTV applications have a considerable number of users, another study found that 26 million Kodi users (68% of the total user base) were pirating illegal IPTV content using Kodi (20.2) software add-ons
[21]. Although these add-ons are often downloaded from likely benign GitHub repositories, the Digital Citizens Alliance found that third-party Kodi add-ons were used to distribute cryptocurrency-mining malware
[2]. Similarly, Warrior et al. found that 1.4% of Kodi add-ons resolved to domain IP addresses found on malicious blacklists (131 out of 9146 add-ons studied)
[22]. This implies that add-ons facilitating the streaming of illicit IPTV content are more widely used than standalone applications and may be more likely to be infected with malware.