It seems there's no such thing as a free show.
Security researchers from the Digital Citizens Alliance (DCA) and Dark Wolfe Consulting looked into six streaming devices that offered free shows through pirated apps and found nearly half of them were packed with malware.
While you may have bought a bona fide Apple TV or Roku to watch shows on Netflix or Hulu, there's an entire market online for jailbroken and modified devices that are tuned to watch this same content for free. They come at a much cheaper price and offer free, unlimited access to shows that you'd normally have to pay a subscription fee for.
These devices work just like a Roku or a Fire TV Stick -- you plug it into your TV and connect it to your Wi-Fi network. In some cases, they're loaded with apps.
If the hardware isn't laced with malware, the apps are, Timber Wolfe, a principal at Dark Wolfe Consulting, found in his research. He said 40% of apps for these devices were infected with malware that can take over a camera or microphone on the network within the first hour.
As viewers move to streaming devices to watch shows, like Apple TVs, Rokus, Chromecasts and Fire TVs, black market sellers have capitalized on cordcutters by offering pirated alternatives. Cybercriminals have taken notice, by targeting these bootleg boxes with malware, researchers found.
On April 8, the FCC issued an enforcement advisory warning that they were fining up to $19,639 per day for people selling these illegal streaming boxes, as well as people using them.
While they aren't in stores, you can still find them in popular sites like eBay, Craigslist and Facebook Marketplace. They're also often sold at flea markets and malls for about $75 to $100. People are enticed to buy them because they promise free streams on sports, live shows and new movies.
The DCA and Dark Wolfe found that there were 12 million active users in the US with these devices, meaning that millions of people are exposed to malware packed with these free shows, according to a report DCA published Thursday.
"You have a choice, you can either have free movies, or your bank account," said Tom Galvin, the DCA's executive director. "When you bring one of these into your home, you've escorted a hacker past your security."
One app for pirated movies and live sports, called Mobdro, immediately forwarded his Wi-Fi network name and password to servers in Indonesia, he said. Other apps would collect data on the user, including photos and videos on the network, and upload them to the server. In one case, an app collected more than a terabyte of data after getting connected to Wolfe's network.
These apps offered streams on movies that were still in theaters during the study time, like Aquaman and Green Book, as well as access to pay-per-views like UFC fights. One app, called "Free Netflix," used a network of stolen Netflix accounts that would constantly rotate so that hacked users would not become suspicious, Wolfe said.
In the background, these apps were scanning victims' networks, looking for open ports to infect other devices, he said.
"Once you start using these rogue apps, nothing is free, there's always some angle to them," Wolfe said.
In one case, when the DCA arranged to buy one of the devices off Craigslist, the seller came out of the Department of Labor building in Washington, DC, to hand off the goods. On hacker forums, the researchers found that criminals online were discussing ways to exploit this malware.
"Streaming is where consumers go to for their home entertainment, which means hackers and criminals are now targeting streaming as a place to exploit consumers," Galvin said.