Windows and Linux Kodi add-ons contain Monero mining malware

Popular Kodi media player add-ons have been infected with cryptocurrency mining malware

Windows and Linux supporting devices got infected with cryptominers from third-party Kodi add-ons.

Researchers at ESET^[1] found out that three add-ons Bubbles, Gaia, and XvBMC (two of which were disabled due to the copyright issues)^[2] hide malicious code of cryptocurrency mining malware. It was discovered that the repository was involved with a crypto mining campaign that dates back to December 2017.

Unfortunately for Kodi users, the application was previously involved in malware distribution issues. However, this time malware is only delivered on Windows OS and Linux OS supporting devices and Android, and iOS platforms are not affected.

The malicious payload contains a code which allows bad actors to mine Monero cryptocurrency. It is believed that crooks already managed to acquire more than 62 Monero^[3] coins which equals to approximately $7,000. The malware already infected 4,700 users worldwide, victims mainly coming from the US, the UK, Israel, Greece, and the Netherlands. It is not surprising as Kodi application is widely used in these countries.

Three different ways for malware spreading

While the three mentioned add-ons were discovered to carry malware since December 2017, there is no evidence that all Windows and Linux users who use Kodi will be infected. However, because the virus is difficult to track, scanning the system with antivirus or anti-malware should help to determine whether or not the device is affected. Additionally, users who experience high CPU usage^[4] should definitely not ignore the issue, because crypto mining malware abuses the system's resources to solve complicated mathematical algorithms.

The malware is delivered to the system in one of the following ways:

1. The malicious URL added to the repository of Kodi installation. Whenever the user updates their add-ons, malicious ones get installed as well;
2. A ready-made Kodi build is installed and contains the malicious URL. Once connected, the updates install malicious add-ons;
3. A pre-set Kodi build which already has a malicious code inside.

Add-ons is a great way to distribute malware, and crooks will not stop doing it

The crypto malware has a multi-stage campaign that ensures it's final payload cannot be traced. This means that the background process of crypto mining can be executed unnoticed.

Kodi app already has a pretty lousy reputation considering its add-on Exodus helped to compile a Botnet which focused on DDoS attacks.^[5] Additionally, Amazon and Google pulled out the app claiming that it is encouraging piracy. While Kodi developers claim that they delete all the pirated content that gets uploaded, the current cryptoming malware incident will issue will probably further drown the app.

Researchers stated that the malware used “interesting compromise technique”:

Aside from being the second malware, and first cryptominer, distributed though the popular media player Kodi, this malware campaign employed an interesting compromise technique. By utilizing the complex scripting functionality of Kodi’s add-ons, which works across the OSes Kodi supports – Android, Linux, macOS and Windows – the cybercriminals behind this campaign easily targeted Kodi on Linux and Windows.

People behind this threat may be able to target different devices with other OSes using alternative payloads. Kodi supports other operating systems, so there is a possibility that different, for example, less power-intensive payloads are going to be made for targeting battery-powered devices.