Skip to main content

TV Addons - Crypto Mining Hack - (Update: Coder responds!)

If you have been using Kodi third party addons for any length of time, you cannot have missed the controversy that always seems to surround TV Addons and the antics of its owner, Adam Lackman.  In recent history there have been a number of high profile  repo “hacks” and if you think back a little further, there was the DDOS hidden in the popular Exodus add-on.

TV Addons Hack & Virus History


Exodus DDOS “bot”


So if you dont recall TV Addons hugely popualr Exodus add-on had some code added to it to DDOS attack another repo. This was in response to a clone or fork of the addon that TVA took exception against. This seems rather bizarre given the amount of forks that are flying around now! Here is a link to that article.

Exodus Botnet

We did remove a lot of the post – but heres some links showing the code and how it was added;

Exodus DDOS code

Target of DDOS

TVA & Indigo Repo Hijacks


So lets review the repo hijacks – hotly denied, but who else has a vested interest in force installing Indigo? All of the code basically forced the indigo tool as a dependency, so even if you didnt want it – TV Addons force install their software on your device. That in any other world is the definition of a virus. An unwanted software installation.

Exodus & Kodil Repo  Indigo Hijack


So TVA, Adam (or you may know him as Eleazar Coding), then resurrected Exodus after Lambda quit and TVA were shutdown (and then the whole “grassing other devs” scandal blew up ). However here are two combined stories from Sept 17 and Feb 18 – Adam pushed a modified Exodus update via the Kodil repo to infect even more devices with his software.

Kodil Repo Hijack – Exodus 4.xx.xx Forcing TVA addons Indigo Install !

Entertainment Repo – Indigo Hijack


Using the same methods as described above – by copying the repo format from an old zip file – then duplicating the setup on github, you can instantly infect and access any device that still has the old repo’s installed. This is a highly dubious practice and a malicious act aginst unwary users.   Read about this from March 18;

TV Addons; Yet ANOTHER Virus!

Cyrpto Mining Botnet


UPDATE : 8th April 2018 – less than 24hours affter exposing this latest scam, they pulled the code. The evidence is still here: Orginal Pair Tool Zip.

The latest con-trick that TV Addons have employed is forcing traffic through a crypto mining botnet through one its new tools, ” the pairing tool”  – you can see this is advertised on their site here;

tva addons crypto miner

Its linked to a github repo – so the code is public and easily accessed – and with all the things TV Addons have done in the passed, they are passing this code on to countless other wannabe scammers who will employ underhand tactics to make money of you.  How much simpler this would have been to simply declare that a few seconds of your time is taken to help fund development? Too easy? Better to just lie and deceive people if you keep getting away with it right?

The Crypto Mining Redirect


If you look in the zip file on github -> Download Here – you can open up the add.on.py yourself and see the following;



You can see that before you goto pair a video streaming site, you are redirected to a coinhive link – this is how your cpu/gpu is used to mine currency. This could affect your streaming – by slowing your device down whilst it uses CPU power to mine currency (very CPU/GPU intensive). This would be detrimental to phones or any mobile device, as it will consume a lot of battery power.

The amount of CPU usage or battery drain is dependent on how the shortcut to Coinhive Javascript miner is setup – it could be lots or just a little, as there has been no admission of this or public announcment, we have no idea.

What TV Addons Say…


this was put to TV Addons’s Adam Lackman via their twitter account earlier today, you can see their response here;



” the idea digusts us” – interesting response Adam, clearly you didnt check even when it was pointed out, perhaps your complicit and needed the cash?

Summary


Yet again TV Addons have been proven to be liars and a source of random infections, repo hijacks, ddos bots and now Crypto mining via its users devices without permission. We have said time and time again not to use TV Addons, Kodibae, Indigo and sundry other addons this guy has maliciously hijacked. Surely it would be simpler to be open and direct with users instead of the current wave of underhand and malicious activities. You never know, people may have supported the short cut redirects – but i guess you feared they would reject it and now you are embroiled in another scandal.  SMFH.


Update 8th April 2018 – Coder Comments


This was left in the comments of the post – so I am posting it, in its entirety and will add further comments in red.



I am Twilight0, a respectable developer from Greece. I do AliveGR, some other greek addons and yes I made the Pair Tool.

OMG you guys are stupid, literally. Why are you creating this drama anyway? Just for the sake of drawing users into your website?

Well first off, Im not stupid, but if you wish to hurl personal insults, that is your right to do so. Creating drama? Im afraid you need to realise your actions and your crypto mining code created this “drama”.

1) Exodus DDOS: Lets not hide behind our fingers, it has been revealed that this was the action of just one developer which has long retired from the scene. What he did was justified imho. Enough of that… TVADDONS on their part had nothing to do with it.

This is part of the historic abuses of TVA – i could have gone further back and covered more, maybe discussed their addon blocker or pathetic overwriting other addons by being childish about Add-on IDS etc. If you create an umbrella organisation to benefit from the collective efforts of coders in order to profit from them,  via donations, affiliate sales and web ad sponsorship, then it is your repsonsibility to ensure that playform is safe and “vetted”.  Exodus has DDOS code, and it was distrubuted via TV Addons. What is not 100% clear about that?

Now, justification? It is illegal to maliciously attack web based assets. What could be worse? Hijacking innocent end users to do your dirty work? So when anyone has a beef or disagreement (and god knows there are plenty of those in the Kodi school yard), its “justified” to DDOS someones websites or other assetts? Understood, that probably explains the attempts to access this website which is clearly evident in the logs and probably the numerous attacks in the past too.

2) Repo hijacks and “resurrections”: These actions were not made by any REAL member of the current or the past TVADDONS. Why do you even bother mention this as “virus” or hacks? Why are you not complaining to github headquarters for allowing the use of disabled usernames?

What is not obvious to you? All the repo hijacks had one significant commmonality. They all point to TV Addons. Not some random add-on or other repo either. They ALL force installed Indigo, the so called prize jewel in TV Addons self appointed Kodi crown. The thing thats rammed down everyones necks as the only way to install add-ons.  Why would anyone  goto all that trouble, to point to the same addon, knowing that the only thing that happens is TVA get more traffic, from his pop-up spam master? 

Who beneifts from installing Kodibae? You know, the TVA “front” repo to house all the cloned add-ons and avoid further legal issues.

Who else would benefit from installing Indigo? You’re earlier comment, about being stupid?

Look in the mirror.

Maybe if Adam didnt have a track record for low ball actions,  giving up developer names (and previously his distribution chain for satellite IKS sales), then you might have a case to argue. We know the lies hes told and rumours hes spread. You know them too, dont you?

So, the only likely source of all these repo hijacks is Adam and his desperate drive to restore his income streams. He must be feeling the pinch now Stream TV hub etc is not raking in $100,000’s for him? Mind you hes had $42,000 donated recently? Maybe he could’ve dipped into one of his offshore accounts. Antigua were they? Panama perhaps?

3) And finally the “botnet mining tool” (LMAO).

I developed this tool. The source code is publicly available yes, you can see how it works yes, exactly, that’s the point of having them publicly available in a MOST READABLE form. What’s wrong with it? I could heavily obfuscate if I wanted and all is well, but no… I wanted some stupid bloggers noticing about it and write unthoughtful articles.
You can disable the coinhive links if you want from the options, its as simple as that.

So, its ok to fool users to make you money? This sounds like TV Addons tactics for sure. It is not acceptable to insert any kind of code that leverages end user devices to make money, without first getting consent. That by any other name is a virus, hijack, malicious activity, call it what you will. Its dishonest.

If you had asked permission first, made it 100% crystal clear what you were doing and made it obvious to opt IN (and not opt OUT as you had set it),  then maybe there wouldnt have been the fuss and outcry from all the decent (and some not so decent lol) devs across the Kodi platform? Do you see all those people commeting and blocking TV Addons? Do you see the universal condemnation of your code and your ethics?

It is clear that you wanted to sneak this under the radar, to deceive users into leveraging their devices to make you money via your javascript based crypto miner. Your blase attitude demonstrated in your response, shows your disrespect for Kodi users, and the community in general. I can only hope this serves to make you redress this contemptious attitude and show a little more respect. Its not that crypto miner is a bad thing or a bad idea, its that you flagrantly disregarded the need to ask user permissions to install or run this crypto mining code. Such was the deception your boss didnt know, looked a proper clown denying it on Twitter when the evidence and now, your admission that it was true.

TV Addons as a group have disregarded users privacy and rights for a long time now, the few articles referenced are the tip of the iceberg. Its nothing new, but it will be exposed and users informed each and every time it happens. You contribution to their reputation via your disregard for end users serves only to further blacken their name.

Comments

Post a Comment

DVDrip – TorrentFreak

Loading...

Trending Posts...

Kodi Advanced Settings Pt 2

    This is the second part of The Advanced Settings XML article, in this follow up post I want to cover a few extra items. Skip Loop Filter Package Folder SIze Remote Delay Remote Repeat Specifcally the first is for Amazons Firestick and reduces the overhead on the GPU by removing some “unseen” frames from the video stream. Skip Loop Filter Click Programs Click Easy Advanced Settings Click Edit Settings Click Audio/video playback settings Click Skiploopfilter Click 8 You can back up to the twice and hit Write XML file Package Folder Size You’ll hear this a lot “purge packages”; so lets explain, packages are the zips Kodi downloads to install your add-ons. Kodi keeps them in case you want to roll back from an upgrade. However, they mostly just use up storage space. They have no connection to buffering, nor speed, nor performance, another often touted myth! We can remove the need to do this monthly clean up by simply setting a fixed size for the fo...
Post a Comment
Read more

Super Favourites

This is not new and its amiss of me not to have added this sooner, but I started digging into a few things to do some advanced topics later and well, never realised the true potential of this add on; its always been on my “to do ” list and i have a feeling that despite Exodus not allowing its use, that SF will be used a lot more with the TV Portal release of its custom EPG app. You may have heard of the author, Spoyser, former lead ‘droid dev for team Kodi, so you know this is a solid stable addon. What Is Super Favourites? In a nutshell Super Favourites allows you to create you own custom Super-Add on with all the best bits of all your favourite add ons (with a few exceptions), along with the bits of Kodi that you use the most. In it’s simplest use case Super Favourites, acts very similar to the standard Kodi favourites in that you add items to it (in a couple of ways, see later), and can then view them in one easy to use list. However, whereas Kodi favourites is simply a...
Post a Comment
Read more

How to Adjust Video Screen in Kodi Jarvis/Krypton

Adjusting Video Screen in Kodi Have you ever opened your Kodi and found that the screen is “Skewed” or looks like it’s zoomed in and the edges are missing ? Well here’s a fix that everyone will be able to apply to Kodi 16.1, Krypton 17 and all Forks. Understanding where and how to adjust the video screen is one of the easiest fix that anyone can do. But before we begin, it’s always a good idea to check your Android device settings. You may have to adjust your settings there as well. Go to Main settings in your Device. (Android Box) Select display settings or Screen resolution. (varies depending on the Android version) Disable auto-detect HDMI. Now set it manually under HDMI output mode settings to 1080p, 50hz or you can set to what suits best according to the capacity of your TV manually by selecting it from the options on it. How to Adjust/Calibrate First of all, for the purpose of this article, all work was done on a PC for the screen captures. In addition, Kodi...
Post a Comment
Read more

What is Failure Level in Death Streams Scraper List.

What is FL or Failure Level What FL specifically stands for is “Failure Level”. When a scraper’s FL value exceeds the FL threshold in settings, the scraper will be automatically disabled.  But only if “Automatically Disable Ineffective Scrapers” is set to “On” or trigger a disable prompt if it is set to “Prompt”. Death Streams, a Fork of  S.A.L.T.S. (Stream All The Sources) has thankfully decided to continue the use of this amazing Video Add-on. Originally developed by tk.norris it soon became a very unique Add-on to use. Primarily on how the end user was able to configure the Settings to their personal use. Due to the amount of time required to Maintain and Update an Add-on the Dev (tk.norris) decided to cease looking after Salts and move on to other Life Adventures. Unfortunately the new Dev also found this a daunting undertaking consequently forcing him to step away from the add-on. Mr. Blamo, in order to prevent failu...
Post a Comment
Read more

How to Setup and Enable Real Debrid in Kodi Krypton

Setup/Enable Real Debrid in Krypton Due to the increase in popularity of Real Debrid Accounts, more and more Developers are coding their Add-ons to Enable this feature. But what is Real Debrid and what can it do for me you ask? Well I would suggest you read this excellent blog on the topic, it changed my mind after reading it. Click here .  If you are interested in acquiring an account, please use this link for Real Debrid . It’s recommended to establish an account prior to continuing. Where to start ? There are many Blogs and articles on the Internet about how to enable RD, but for a change this one will be about how to Enable RD in Krypton 18, Leia. While still in Alpha build, there are some interesting new features to view. But I would recommend waiting until Leia has been released in Beta before installing and trying to use. This was installed on a PC, W/10 for the ease of creating the screenshots needed. So lets begin : After opening Kodi Krypton 17 / Leia 18, select th...
Post a Comment
Read more