Windows And Linux Kodi Users Ravaged By Nasty Monero Cryptocurrency Mining Malware
ESET, a Slovak IT security company, discovered that Windows and Linux Kodi users who downloaded the third-party add-ons Bubbles, Gaia, and XvBMC, were the targets of the malware campaign. The add-ons contain malicious code that mines the cryptocurrency Monero (XMR). It is believed that the criminals have been able to mine 62 Monero coins or over $7,000 USD. Most of the infected users live in North America and Europe. ESET noted that malware campaign so far has not targeted Android or macOS devices.
Kodi is a a free and open-source media player. It was initially released in 2002 for the Xbox by the XBMC Foundation. It quickly expanded to Android, Linux, BSD, macOS, iOS/tvOS, and Windows. Users are able to install a variety of add-ons to their “empty” media players. Add-ons exist for legitimate sites such as Hulu and YouTube, but Kodi has also gained a reputation for being a center of pirated content.
It is believed that the Bubbles add-on first published the malware in December 2017. Gaia (a Bubbles fork) followed shortly after in January 2018. The Bubbles repository was shut down later that month, but users where directed to Gaia where the malware still existed. Gaia eventually deleted all of its content in April 2018 and its newer versions do not appear to contain the malwre. XvBMC was shut down this past summer for copyright infringement and it was discovered that it was another source of the malware.
Although all three of the offending add-ons have been deleted, users may still have the malware on their devices. ESET recommends that users scan their devices with reliable anti-malware software. If a user’s CPU usage seems unusually high, they may have been infected with the coinminer.
Kodi is quite popular with those who want to stream content, but less so with companies such as Amazon and Google. In 2015, Amazon pulled Kodi from the app store becuase software reportedly encouraged piracy. Google removed Kodi from its autocomplete search query this past spring because the software is reportedly connected to copyright infringement. Kodi add-on developers received cease and desist letters from the Alliance for Creativity and Entertainment in 2017. Members of the organization include heavy-hitters such as Netflix, Amazon, Disney, and Warner Brothers. Kodi maintains that they delete unlicensed content, but the recent discovery of the malware will likely do little to help their reputation.