Windows and Linux Kodi users infected with cryptomining malware
Users of Kodi, a popular media player and platform designed for TVs and online streaming, have been the targets of a malware campaign, ZDNet has learned from cyber-security firm ESET.
According to a report that will be published later today and shared with ZDNet in advance, the company’s malware analysts have uncovered that at least three popular repositories of Kodi add-ons have been infected and helped spread a malware strain that secretly mined cryptocurrency on users’ computers.
Also: Tech support scammers find a home on Microsoft TechNet pages
Kodi, for readers unfamiliar with this software, is an “empty” media player that works primarily based on add-ons. Users install Kodi and then add the URL of one or more add-on repositories, from where they choose what add-ons to install on their players.
Add-ons exist for streaming everything from Hulu to YouTube, but the player is often used for streaming pirated content, such as pay-per-view channels or movies from torrent portals.
ESET researchers say they found malicious code hidden in some of the add-ons found on three add-on repositories known as Bubbles, Gaia, and XvBMC, all offline at the time of writing, after receiving copyright infringement complaints.
Researchers said that some of the add-ons found on these repositories would contain malicious code that triggered the download of a second Kodi add-on, which, in turn, would contain code to fingerprint the user’s OS and later install a cryptocurrency miner.
While Kodi can run on various platforms, ESET says that the operators of this illicit cryptocurrency mining operation only delivered a miner for Windows and Linux users.
Also: Recent Windows ALPC zero-day has been exploited in the wild for almost a week
Crooks mined for Monero, and according to some partial data obtained by ESET, the company believes they infected over 4,700 victims and generated over 62 Monero coins, worth today nearly $7,000.
Most of the infected users were located in countries such as the US, the UK, Greece, Israel, and the Netherlands, countries where Kodi usage is also high.
ESET says there is no reliable way of knowing if a user of those three add-on repositories has been infected, other than installing an antivirus solution and scanning the machine where Kodi was installed. A clear hint that something is wrong is high CPU usage, a common indicator of cryptocurrency mining operations.
This was the second malware campaign discovered targeting Kodi users and the Kodi add-ons system. The first came to light in early 2017, when someone used Kodi add-ons to infect users with a DDoS bot.