Just as digital piracy is the access, use or distribution of protected content without permission of the rights-holder, app piracy is the same concept applied to apps, according to UK-based AAPA, the Audiovisual Anti-Piracy Alliance; whose mission is to support law enforcement, governmental and industry stake-holders in their efforts against piracy.
AAPA segments illicit apps into apps which are stolen or illegally duplicated, and apps which are legal on their own but expose illegally-sourced content – which can include the promotion of illegal services or content through in-app and online advertising – to users.
Apps are an appealing vehicle for pirates because they can be hosted in legitimate app stores, are less subject to scrutiny, and require less of an investment to develop and maintain.
How pirate apps are different
A common form of app piracy is to infiltrate legitimate apps through reverse engineering. Once broken, pirates remove copyright attribution and marks that identify the legitimate rights holder. Pirates redirect or replace advertising and disable tracking functionality before republishing the Apps on one or many App stores, including their own monetization techniques.
Another form of app piracy is to develop ‘content agnostic’ apps from scratch, where the app itself is not illegal, but the content that it presents to users may be. The rights holder must prove who is behind the content- agnostic App, demonstrate that it is being used to share their content without authorisation, and show how the App is being promoted, says AAPA.
Forms of illicit apps
AAPA categorizes illicit Apps into four categories:
- “IPTV” generic media players
- Custom-branded IPTV
- Live streaming sports
- Movies and series streaming
But pirates make the most money from advertising fraud. Citing the Digital Citizens Alliance 2021 report “Breaking (B)Ads: How Advertiser-Supported Piracy Helps Fuel A Booming Multi-Billion Dollar Illegal Market, which estimated annual revenue to piracy platforms through advertising and subscriptions at more than $2.3 billion; $1.21 billion of which was advertising.
Fighting app piracy
The AAPA report recommends several techniques to fight piracy. One is the “Know Your Business Customer” (KYBC) process specified by the EU’s Digital Services Act which provides guidelines for online hosting, distribution and advertising stakeholders to recognize and flag bad actors.
Additional recommendations include improvements to the notification and takedown process, closer collaboration with operators of app stores to recognize illicit apps and their developers, and to use Trusted Flaggers (as described in the Digital Services Act) to monitor and report apps that infringe content rights.
Android singled out
While the overall phenomenon of app piracy is not device or software specific, the report singles out Android as a more likely vector for pirate apps due to its 72% market share (against iOS 28%), and because of the Android Package Kit (APK), which pirates abuse to modify legitimate apps to turn them to their own purposes.
A 2019 study by World Trademark Review that was cited by the AAPA report esitmated that out of a million Android apps hosted by the Google Play Store, about 50,000 were potentially counterfeit or infringing at that time; with 2,000 considered to be high risk, with “high visual similarity” to legitimate apps.
Further reading
A Look at the Problem, Challenges and Effects of App Piracy. Report. June 19, 2023. Audiovisual Anti-Piracy Alliance (AAPA)
Why it matters
Because they enable several business models all at once, illicit apps have become a mainstream form of distribution for pirates. Not only do they enable access to illegally sourced content – both on-demand and live-streamed – but also, they serve as channels for illicit advertising, malware implants and theft of consumer details and protected content.
AAPA’s provides a level-headed survey of app piracy which reflects the incremental and logical evolution of distribution channels by pirates. Pirate apps consolidate multiple business models and multiple methods of attack into one convenient vehicle that’s distributed through app store channels that consumers implicitly trust.
Absent from the AAPA report
Not covered by the AAPA report, but certainly an additional focus of that organization, are the further threats to access content and sensitive data stored by media stakeholders, and attacks on CDNs to steal content in distribution.
The report does not detail technology-based methods of detecting fraudulent apps, such as tamper protection, jailbreaking/rooting, and unexpected traffic to and from the app. Nor does it get into ways that apps can be protected against fraud, including runtime application self-protection, code obfuscation and data obfuscation.
Piracy Monitor will release an industry report about app protection during the 3rd quarter of 2023.
Bigger picture
Pirate apps are designed to deceive consumers and are the most effective modes of attack yet to emerge. In today’s era of disinformation, fueled by the malicious use of AI, it’s especially critical to identify pirate threats and illicit apps in particular.
App piracy is simply the latest evolution of pirate distribution. Consider the early days of piracy, when the primary vehicle was mass-duplication of physical media, and the main weapon against it was to patrol physical markets for illegal copies that were verified to be illegal either by use of forensic watermarking or simply by being instantly recognizable because of poor video quality or bad packaging.
This evolved into downloads from digital lockers and torrenting, which further evolved into on-demand and live streaming sites. As production values improved, pirate Web sites became mistaken for legal sources offering deals that were promoted through phishing and priced such that consumers couldn’t pass them up. These sites also promoted illegal services, stole ad-impressions from legitimate advertisers which also provided the appearance of legitimacy to pirates, and linked to malicious downloads.
Apps are the most effective distribution vehicles yet. They’re a huge threat, a nearly perfect storm, and it’s incumbent on rights holders and anti-piracy stakeholders to recognize and fight them.
