According to Eurojust, the investigation into Mobdro’s activities began back in 2018, following complaints from the Spanish Professional Football League (La Liga), the Premier League and the Alliance for Creativity and Entertainment. As a result, last month the combined efforts of Europol, Interpol, Eurojust and the Spanish authorities led to an operation against a former Spanish citizen who moved to Andorra, and three engineers who worked for him. Law enforcers took the following actions:
- 3 house searches (2 in Spain and 1 in Andorra);
- 3 arrests (3 in Spain and 1 in Andorra);
- received 3 court orders to block domains;
- blocked 20 domains and servers;
- frozen bank accounts;
- disabled one server in Portugal, and another one is being studied in the Czech Republic.
Since Mobdro was used to view unlicensed content by about 43 million users, law enforcement officers believe that the owners of the application earned more than 5 million euros on it.
Most of the revenue came from in-app ad impressions and the sale of users’ personal data to advertisers. However, the Spanish authorities say that “as the investigation progresses,” the police discovered another source of income: the app was registering user devices on another company’s network. The Spanish authorities and Europol did not disclose the name of this company, but claim that it used the infected devices as a proxy for those who need anonymity, and also used them to organize DDoS attacks.
It must be said that the malicious functionality of Mobdro did not come as a surprise to cybersecurity experts. Back in 2019, specialists from Digital Citizens wrote in their reportthat the application is dangerous and associated with a botnet. The researchers cited the following facts:
- after downloading, the application transmitted the login and password from the Wi-Fi network to the server, which seems to be located in Indonesia;
- Mobdro investigated the user’s network in search of vulnerabilities that would allow him to gain access to files and other devices. In the Digital Citizens test, it offloaded over 1.5 TB of data from the researcher’s device;
- Mobdro looked for access to media content and other legitimate applications;
- criminals were posing as well-known streaming sites like Netflix, making it easier for themselves to access a legitimate subscription of a real user.