First known malicious cryptomining campaign targeting Kodi discovered

Is your Kodi secretly mining Monero? Yes, sadly some cyber thugs have weaponized the media streaming app by hiding malware in Kodi add-ons. Researchers discovered the first known malicious cryptomining campaign to be launched via the Kodi platform. There are still about 5,000 victims unknowingly mining Monero via their Kodi for the cyber thugs.

Ah, man, say it ain’t so.

Despite Kodi malware scare stories, there’s been only one known time that malware was distributed via a Kodi add-on. But that hasn’t stopped some anti-piracy groups from claiming Kodi was being used to distribute malware.

For example, after a watching a video interview filmed at RSA about “how malware is growing on the Kodi/XMBC platform,” Torrent Freak scoffed. The group the interviewee worked with had been putting out Kodi-related malware scare stories to promote anti-piracy. Despite the alarming claims made, which were short on actual facts, as far as Torrent Freak knew, only one Kodi add-on had ever been used for DDoS purposes —and that was back in 2017. The XBMC Foundation president had not heard of malware in a video stream, and a threat analyst at BitDefender had not seen any malware in a video stream in the wild since in 2005.

As it turns out, some cyber thugs actually decided Kodi would be a good malware distribution platform. Researchers at ESET detected the first publicly known cryptomining campaign launched via the Kodi platform. If you use add-ons to enhance your movie or TV viewing pleasure, then it is possible your Windows- or Linux-based Kodi has been secretly mining Monero for months and months. In fact, it may continue to do so unless you take action.

After the XBMC repository for add-ons was shut down, ESET discovered the repository had been part of a cryptomining campaign that went back to December 2017. That repository was added to the Bubbles and Gaia add-on repositories in December 2017 and January 2018. ESET warned, “From these two sources, and through update routines of unsuspecting owners of other third-party add-on repositories and ready-made Kodi builds, the malware spread further across the Kodi ecosystem.”

How was your Kodi infected?

The miner is not so easy to track back to the malicious add-on, but ESET listed three ways your Kodi could have been infected and started mining Monero:

1.) If you added the URL of a malicious repository to your Kodi installation or 2.) if the malicious URL was added to your fully loaded Kodi. Either way, the miner was installed when you updated your Kodi add-ons. And 3.) If your fully-loaded Kodi has the malicious add-on but was not linked to a repository for updates, even without updating the add-on, “if the cryptominer is installed, it will persist and receive updates.”

The attacker’s Monero wallet shows 4,774 victims still mining and a balance of about $6,700 worth of Monero. The top five most-affected countries are the U.S., Israel, Greece, the U.K., and the Netherlands, which also happen to be the “top traffic countries,” according to the Unofficial Kodi Addon Community Stats.

ESET took a deep-dive into the Python code that delivers malware binaries to Linux and Windows-based Kodi installations.

“It is clear that the code is written by someone with a good knowledge of Kodi and its add-on architecture. The script detects which OS it is running on (only Windows and Linux are supported; Android and macOS are ignored), connects to its C&C server, and downloads and executes an OS-appropriate binary downloader module,” ESET wrote. “Although the main add-on repositories that initially seeded this malware into the Kodi ecosystem are now either closed or cleaned, that does not address the many devices that had already run the malicious add-ons.” 

How to remove the malicious cryptomining from your Kodi

To find out if your Kodi has been compromised, ESET advised scanning it with a reliable anti-malware solution. ESET listed a free scanner for the Windows-flavored Kodi or a free trial to scan the Linux-flavored OS on Kodi.

Trend Micro said it also has a solution capable of detecting cryptocurrency mining. And IBM recommended implementing controls capable of identifying mining activity and blocking mining malware variants.