What just happened? Unofficial repositories serving third-party add-ons for open source media player Kodi have been serving malicious cryptocurrency mining malware for several months. Fewer than 5,000 victims are estimated but that number could grow as the malware spreads.
According to a recent report from cybersecurity firm ESET, malware found in the XvMBC repository (the same one that was shut down last month over copyright infringement concerns) was originally uploaded to the Bubbles and Gaia (a fork of Bubbles) repositories in December 2017 and January 2018, respectively.
The malware, with its multi-stage architecture, spread from these two sources across the Kodi ecosystem, ESET said. The firm adds that its payload, a cryptominer, runs on Windows and Linux and mines the virtual currency Monero (XMR). The malware was designed in a way that makes it difficult to trace the payload back to the malicious add-ons.
Based on ESET’s data, the top five countries affected by the malware include the US, Greece, Israel, the Netherlands and the United Kingdom.
ESET points out that the repositories that first spread the malware are either defunct, as in the case of Bubbles, or no longer serving the bad code, like at Gaia. That said, victims that don’t know they installed the cryptominer are likely still infected. What’s more, the malware has made its way to other repositories and into some ready-made Kodi builds, likely without their authors’ knowledge.
ESET believes that more than 4,700 victims are affected by the malware which has generated around $6,700 in value for its creators.
For a full technical analysis of the malware, head over to ESET’s dedicated landing page for the campaign.