The data for our weekly download chart is estimated by TorrentFreak, and is for informational and educational reference only. All the movies in the list are Web-DL/Webrip/HDRip/BDrip/DVDrip unless stated otherwise.
Faced with a tsunami of pirated movies and TV shows being accessed at will through millions of piracy-enabled set-top boxes, entertainment industry groups have had to come up with a new anti-piracy strategy.
The main goal seems to demonize these devices in the press, creating the impression that anyone using them puts themselves in danger, either due to fire risk or exposure to the perils of viruses and malware.
These claims are perfect tabloid material. Newspapers, particularly in the UK, gobble up press releases and quickly spin them out, whether they have any substance to them or not. While there’s little evidence that the scare stories are working as a deterrent among the pirating masses, they are a continuous source of irritation for those who know better.
This week a new Kodi-related video appeared on YouTube. Filmed at the RSA conference and presented by CyberScoop editor Greg Otto, it consists of a short interview with Kurtis Minder, CEO of security company GroupSense. “How malware is growing on the Kodi/XMBC platform” was the topic.
After a brief introduction on so-called ‘Kodi boxes’, Otto put it to Minder that his company had been looking into the “malware that has been floating through these boxes” and asked him to elaborate.
Minder said his company started its research around two months ago, working with the Digital Citizens Alliance (DCA). Of course, DCA has been one of the main sources of Kodi-related malware stories, ostensibly for the protection of consumers.
However, DCA is affiliated with the entertainment industries and there is little doubt they’re being used to promote an anti-piracy agenda. There is nothing inherently wrong with companies trying to protect their content, of course, but doing so in a way that has the potential to mislead the public is bound to raise questions.
Back to the video, Minder told interviewer Otto that his company had been looking at “what the attack footprint would be for malware on the media that would show up on any given Kodi box that would be in someone’s home.”
It’s a curious statement to talk about the streaming media itself providing an attack vector but Minder doubled down, stating that they’d discovered several places on the dark web “where people are selling malware-enabled media.”
Otto didn’t ask Minder to elaborate on these claims and Minder didn’t respond to TF’s request for comment, so we still have no idea what he’s referring to. However, Otto did pour fuel on the confusion by asking Minder about malware which requires capabilities that no ‘Kodi box’ has.
“What happens with [that malware]? Is it a RAT [Remote Access Trojan] that takes over a TV that hooks up to a camera and is almost like spyware? Is it ransomware? What are we seeing?” he asked the security expert.
“Some of that is [to be determined], we don’t know exactly what all of it does,” Minder responded. “But we do know there is a fair amount that enable DDoS capability from the boxes.”
We have no idea what constitutes a “fair amount” of malware but it sounds like multiple instances. Here on TF back in 2017, we broke the news that a single Kodi addon was programmed to repeatedly visit the websites of rivals.
In that single case, the architect of that addon quickly apologized for his actions, the whole thing was concluded inside a week, and we haven’t heard of any similar incident since. But Minder said there are additional risks too.
“There is malware that will actually take over some of the components. We don’t know to what extent, if it’s actually listening to the people in the room or not, that stuff hasn’t really been netted out,” he told Otto.
Indeed, such a thing has never been reported anywhere, not least since “Kodi boxes” don’t have microphones. But after more prompting from Otto, Minder then went on to talk about Kodi installed on platforms other than Android devices. His revelations about supposed ‘Kodi malware’ in this respect are also controversial.
“The delivery mechanism [for the malware] appears to be two primary ways. It’s the Kodi platform itself, which means whatever you load that on. For instance, if you did load that on an [Amazon] Firestick it could still be effective as an attack vector. The other one is the streaming media itself. Embedded in the media itself there are some malware variants,” he said.
As far as we know, malware embedded in streaming media that can be consumed via Kodi or indeed any regular media player is unheard of these days. Nathan Betzen, President of the XBMC Foundation, the group behind Kodi, told TorrentFreak that at least as far as he is aware, such a thing doesn’t exist.
“I’ve never heard of malware in a video stream. I guess anything is possible, but to my knowledge, there have been no reports to that effect,” Betzen said.
Bogdan Botezatu, Senior E-threat Analyst at BitDefender, also told TorrentFreak that he’d seen nothing like that in the wild.
“Malformed video could leverage vulnerabilities in the player itself, but I’m not aware of such attacks happening in the wild,” Botezatu told us.
“Actually, the last time I saw malicious videos distributed via torrent websites was years ago, back in the days when Trojan.Wimad was making the headlines.”
Trojan.Wimad was a trojan discovered in 2005 that was able to download remote files from websites by exploiting the Digital Rights Management (DRM) technology available in Windows. The trojan got onto users’ computers as a licensed-protected video file. Kodi users are certainly not interested in those and in any case, Android-based Kodi boxes are unaffected.
So, apart from the addon incident that lasted for a week in 2017, we’ve never heard of a live Kodi-related malware attack anywhere in the wild. Betzen told us that he’d heard of an instance where a coin miner had spread via third-party code but that’s an issue for thousands of mainstream websites too.
All that being said, we aren’t known as security experts, so we asked security firm AVAST if they could provide information on all Kodi-related malware incidents they have on record.
“Unfortunately, we have not observed any Kodi-related malware risks in the wild,” AVAST Communications Manager Stefanie Smith told TorrentFreak.
Bogdan Botezatu at BitDefender also had no specific instances to report.
“There has been a lot of attention towards Kodi in the past year and most of the ‘security risks’ go around the fact that some addons allow users to stream media directly from websites, so this is mostly a legal issue rather than a cyber-security one,” Botezatu said.
The BitDefender expert did, however, point us to a security advisory from CheckPoint which detailed a software vulnerability affecting Kodi, VLC, and other players using subtitles, which TF reported last year.
“Kodi 17.1 was known to have been vulnerable to a subtitle parsing bug that allowed an attacker to remotely control the Kodi box. This is one of the most serious threats I know of because third parties could rig subtitles uploaded to various repositories and this would go unnoticed for a while,” he said.
While this vulnerability could have been used for nefarious purposes, there is no evidence of it ever being exploited in the wild. And, in common with all responsible platforms, Kodi and all others involved fixed the issue before any damage could be done.
Moving through our list of vendors, TorrentFreak also asked Symantec if they had ever encountered any actual Kodi-related malware. The company told us they had nothing to report at this time but did highlight the same subtitle vulnerability pointed out by BitDefender.
To be clear, vulnerabilities can affect any software, including Windows, but that doesn’t make them inherently dangerous to the consumer as long as they’re disclosed and then fixed in a responsible and timely manner.
However, listening to the entertainment industries and those aligned with them, Kodi use presents an active and serious malware danger to the public, but one with almost zero evidence to support it.
Minder himself didn’t respond to our request for elaboration but we did manage to obtain a copy of a presentation his company prepared for the Conference of Western Attorneys General detailing supposed Kodi threats. The document, dated May 2018, makes for interesting reading.
Perhaps referencing the claims that Kodi malware is available on the dark web, the presentation slides show an advert discovered on the hidden ‘Dream Market’ marketplace. The advert offers subscriptions to an illicit IPTV service but it’s actually one that’s easily accessible on the regular open web. Perhaps most importantly, there is no mention of malware anywhere on the slide.
Dark web IPTV but no malware
The next slide proved interesting since it covers a topic first published here on TorrentFreak at the start of 2018. We revealed how some Kodi setups can be accessed by outside parties if users aren’t careful about the settings for Kodi’s web interface. While this is a known issue, this has nothing to do with malware.
Finally, the last slide had this to say about Kodi and third-party Kodi addons.
“Unbeknownst to the consumer these third‐party add‐ons further introduces [users] to risks such as copyright violations, malware infection, disclosure of IP address and Internet behavior, and the loss of the confidentiality of their communications,” the slide reads (PDF).
While it can’t be argued that copyright violations can take place, the ever-present malware claim isn’t backed up by any publicly-available information indicating that such an event has happened more than once or twice. To put that into perspective, the AV-TEST Institute says it registers over 250,000 new malicious programs every day.
Furthermore, IP addresses are always disclosed no matter what content users access online, so that point is moot too, along with the supposed issues with confidentiality of communications. However, GroupSense has more to add.
“Additionally, the communication between their Kodi application and the third‐party add‐ons are unencrypted and unauthenticated meaning that an attacker can introduce malicious code into the communication stream or compromise the third‐party add‐on before the recipient (consumer) receives the data; thereby, infecting their device to incorporate into a botnet or steal privileged information such as user credentials,” the slide reads.
We presented these claims to TVAddons, the world’s largest repository of third-party addons and the developer of many, past and present. They weren’t impressed with the claims.
“That argument is quite the stretch. Technically the same would apply to any website you visit that doesn’t use forced-HTTPS. Almost every unofficial add-on repository is hosted through GitHub, which forces encryption,” the site said.
“Kodi ‘boxes’ are used on home networks, not public Wi-Fi. By the time someone could perform a [Man-in-the-Middle] attack on your Kodi box, it would mean that they would have already had to compromise your router. If someone were to go through all that, they could likely do a lot more damage without even considering exploiting Kodi.
“Furthermore, most users use Kodi on their media boxes, where little to no privileged information would be present,” the site added.
Let’s be clear, every single piece of hardware and software, whether on or offline, can be exploited in some way by nefarious players or simply the curious. However, the persistent claim that Kodi users are somehow under constant malware attack isn’t borne out by any publicly available information.
Indeed, one of the world’s most popular anti-piracy vendors in AVAST says they have no record of ANY Kodi-related malware. And Marius Buterchi, PR Manager at the highly-respected BitDefender, couldn’t point us to any specific instances either.
“I just talked with the Lab guys and they told me that they actually haven’t seen any Kodi-related malware in the wild,” he told us Friday.
With that, it now seems the perfect time to either put up or shut up in respect of “Kodi malware.”
If there is malware out there affecting users of Kodi, security and entertainment industry companies making these claims should back them up with solid evidence because, as it stands, the horror stories seem designed to frighten the masses, rather than protect them.
The benefits of full disclosure, detailing the EXACT NAMES of the malware, WHEN they were discovered and by WHO, and what EXACTLY THEY DO, would be two-fold.
Firstly, the aim of scaring people away from Kodi would have more impact, since the evidence of malware would be hard to ignore. That would be a big plus for the movie and TV industries who are quite rightly concerned about protecting their business.
Secondly, and just as importantly, Kodi users could take steps to protect themselves, which should be the number one priority of any group, organization, or company that claims to be acting in the best interests of consumers and the public in general.
With that in mind, we understand that the Digital Citizens Alliance will publish a new Kodi malware report in the coming weeks. Perhaps it will contain actual evidence of the malware being spoken of continuously in the media.
We would certainly welcome the publication of a specific and detailed list of all malware variants in the wild which specifically target Kodi users. At that point, we can alert the major anti-virus and malware vendors who currently appear to be strangely in the dark.
Last summer saw the birth of a new anti-piracy initiative, which has already made quite a few headlines.
A coalition of the major Hollywood studios, Amazon, Netflix and several other media properties teamed up, launching the Alliance for Creativity and Entertainment (ACE).
Their ultimate goal is to beat piracy, with pirate streaming boxes as the main target.
In the months that followed, several third-party Kodi-addon developers received threatening letters in the mail and on top of that ACE filed lawsuits against three vendors of alleged pirate streaming boxes.
Their show of force hasn’t gone unnoticed. It triggered some developers and sellers to lay low or move out of the game entirely. At the same time, fully-loaded pirate boxes are now harder to find at ACE member Amazon, which has removed tens of thousands of listings.
These boxes, which ship with a built-in media player as well as pirate addons, were not always hard to find though.
In fact, Dragon Box, which is now being sued by Amazon and the others, was previously sold on Amazon. This is perhaps what prompted the company to argue as a defense that it had “Amazon’s implied authorization to promote and sell the device.”
Clearly, these Dragon Boxes have now been stripped from Amazon’s inventory, but it’s still not hard to find several alleged piracy inducing items there today.
For starters, there are still hundreds if not thousands of cheap media players for sale. While these may be perfectly legal, reviews of Amazon members show, sometimes with screenshots, how these can be easily set up to run pirate addons.
Arguably, without 24/7 moderation this is hard to avoid. After all, people may also buy a PC on Amazon and recommend people to bookmark The Pirate Bay. Perhaps we’re nitpicking.
What may be more problematic for Amazon is the widespread availability of “Kodi tutorials.” While Kodi is perfectly legal, some of these books go into detail on how to add “pirate” addons. The same tools Amazon is suing Tickbox, Set TV, and Dragon Box over.
“Do you want to install Area 51 IPTV or Set TV on your Kodi and Amazon Fire TV Stick or Fire TV?” one guide mentions, referencing Set TV specifically. “Do you want to install Supremacy, Dogs Bollock, Covenant, Genesis Reborn and Neptune Rising?” it adds.
One of the many Kodi guides
Another book offers help on “How To Install Kodi And The Latest Downloads On Any Firestick” mentioning the addon Exodus, among others. Exodus was famously highlighted as a “pirate” addon by the MPA.
And then there are books discussing how to install a wide range of addons with a “pirate” reputation, including Covenant which is specifically highlighted in the ACE lawsuits as a bad actor.
None of these addons have been declared illegal in court, as far as we know, and writing about it isn’t illegal by definition. But, it is clear that Amazon itself sees these as pirate tools.
This leads to the awkward situation where, on the one hand, Amazon is suing vendors who sell devices that ship with the Covenant addon, while they sell books that show people how to set this up themselves.
We won’t make any judgments on whether these books or addons encourage infringement in any way, that’s not up to us. But for Amazon it’s not a good look, to say the least, especially since part of the profits for these titles go into its own pockets.
In recent years, Google has had to cope with a continuous increase in takedown requests which target pirate sites in search results.
The total number of ‘removed’ URLs just reached 3.5 billion and millions more are added every day.
While that’s nothing new, Google just started sharing some additional insight into the nature of these requests.
As it turns out, millions, if not hundreds of millions, of the links copyright holders target have never appeared in Google’s search index.
Earlier this year Google copyright counsel Caleb Donaldson revealed that the company had started to block non-indexed links ‘prophylactically.’ In other words, Google blocks URLs before they appear in the search results, as some sort of piracy vaccine.
“Google has critically expanded notice and takedown in another important way: We accept notices for URLs that are not even in our index in the first place. That way, we can collect information even about pages and domains we have not yet crawled,” Donaldson noted.
“We process these URLs as we do the others. Once one of these not-in-index URLs is approved for takedown, we prophylactically block it from appearing in our Search results,” he added.
Unfortunately, Google provided no easy way to see how many links in a request were not indexed, but that has now changed.
Over the past week or so the search engine added a new signal to its DMCA transparency report listing how many of the submitted URLs in a notice are not indexed yet. In some cases, this is the vast majority.
Take the Mexican branch on the anti-piracy group APDIF, for example. This organization is one of the most active DMCA reporters and has asked Google to remove over a million URLs last week alone.
As can be seen below, the majority of the links appear to be non-indexed links. We browsed through dozens of recent listings from APDIF and these reveal a pattern where in most cases over 90% of the submitted URLs are not in Google’s search results.
Google now reporting non-indexed takedown requests
These URLs are obviously not removed since they weren’t listed. According to the company’s earlier statement, they are put on a separate blocklist instead, which prevents them from being added in the future.
APDIF is not the only reporter that does this though. Rivendell, the most active sender of all, also has a high rate of non-indexed links, often well over 50%.
The tactic turns out to be rather common. Well known players such as Fox, Walt Disney, NBC Universal, BPI, and the RIAA, all report non-indexed links as well, to varying degrees.
Not all reporting agencies have such high rates as APDIF. However, it is clear that millions of non-indexed pirate URLs are added to the preemptive blocklist every month.
Technically, the DMCA takedown process is meant for links and content which actually exist on a service, but it appears that Google doesn’t mind going a step further.
TorrentFreak reached out to the search giant several days ago, hoping to find out what percentage of the overall requests are not in Google’s search results, but at the time of writing, we have yet to hear back.
In years gone by, an event like the upcoming FIFA World Cup wouldn’t have been drastically affected by piracy.
Most people like to watch matches as they happen so systems like BitTorrent, that offer after-the-fact content, weren’t particularly useful.
These days, however, there are hundreds of unlicensed platforms fully capable of transmitting live content, meaning that the World Cup is within reach of anyone with a half decent Internet connection.
With this in mind, anti-piracy companies are likely to be working overtime during the World Cup in an effort to take down live streams as soon as matches get underway. Whether they will enjoy much success will remain to be seen but for the Sony Entertainment Network, the battle has already begun.
Through Indian anti-piracy outfit Markscan, Sony has this week been sending out preemptive warnings to pirate sites. A copy shared with TorrentFreak by a sports streaming platform reveals Sony claiming TV, radio, mobile and broadband broadcasting rights to the World Cup in India, Bangladesh, Bhutan, Maldives, Nepal, Pakistan, and Sri Lanka. The company warns of serious consequences if sites don’t heed their warnings.
“[Our] Client will be showing the matches live and content related to FIFA 2018 in various languages across the following channels comprising of Sony Entertainment Network which are designated to the official broadcasters of FIFA 2018,” the letter from Markscan reads.
The company then lists 10 channels that will be broadcasting content, including Sony ESPN, a collaboration between the two companies in India.
“By way of the present caution notice issued to you, we caution you and your website, not to indulge in any broadcasting, rebroadcasting, making available for viewing and / or communicating to the public, the FIFA 2018 matches and any content associated thereof, without obtaining permission / authorization from our client,” it continues.
Markscan states that the site in question will be monitored for any acts of infringement and if any take place it shall be compelled to “initiate legal proceedings (civil and/or criminal) should you engage in violation of our Client’s rights despite the present notice.”
The person who received the notice from Markscan asked for his identity and his site to remain anonymous. However, he confirmed that he streams sports and the warning won’t make any difference.
“No, that’s not gonna stop us,” he told TF. “We will stream the whole FIFA World Cup in our platform.”
Due to the sheer number of legal services the World Cup will be made available on, stopping all unauthorized streams will prove absolutely impossible. Indeed, due to the huge number of unlicensed sites around today, it’s likely to be one of the most-pirated live sports tournaments of all time.
This means that despite best and preemptive efforts, any takedowns will prove a drop in the ocean.
This week we have two newcomers in our chart.
Last summer saw the birth of a new anti-piracy initiative, which has already made quite a few headlines. 
In recent years, Google has had to cope with a continuous increase in takedown requests which target pirate sites in search results.
