Windows and Linux Kodi users infected with cryptomining malware

Kodi media player users who installed add-ons from the Bubbles, Gaia, and XvBMC repositories might have been infected with a coinminer.
Written by Catalin Cimpanu, Contributor

Users of Kodi, a popular media player and platform designed for TVs and online streaming, have been the targets of a malware campaign, ZDNet has learned from cyber-security firm ESET.

According to a report that will be published later today and shared with ZDNet in advance, the company's malware analysts have uncovered that at least three popular repositories of Kodi add-ons have been infected and helped spread a malware strain that secretly mined cryptocurrency on users' computers.

Also: Tech support scammers find a home on Microsoft TechNet pages

Kodi, for readers unfamiliar with this software, is an "empty" media player that works primarily based on add-ons. Users install Kodi and then add the URL of one or more add-on repositories, from where they choose what add-ons to install on their players.

Add-ons exist for streaming everything from Hulu to YouTube, but the player is often used for streaming pirated content, such as pay-per-view channels or movies from torrent portals.

Also: 7 tips for SMBs to improve data security TechRepublic

ESET researchers say they found malicious code hidden in some of the add-ons found on three add-on repositories known as Bubbles, Gaia, and XvBMC, all offline at the time of writing, after receiving copyright infringement complaints.


Researchers said that some of the add-ons found on these repositories would contain malicious code that triggered the download of a second Kodi add-on, which, in turn, would contain code to fingerprint the user's OS and later install a cryptocurrency miner.

While Kodi can run on various platforms, ESET says that the operators of this illicit cryptocurrency mining operation only delivered a miner for Windows and Linux users.

Also: Recent Windows ALPC zero-day has been exploited in the wild for almost a week

Crooks mined for Monero, and according to some partial data obtained by ESET, the company believes they infected over 4,700 victims and generated over 62 Monero coins, worth today nearly $7,000.

Most of the infected users were located in countries such as the US, the UK, Greece, Israel, and the Netherlands, countries where Kodi usage is also high.

Also: Best Home Security Devices for 2018 CNET

ESET says there is no reliable way of knowing if a user of those three add-on repositories has been infected, other than installing an antivirus solution and scanning the machine where Kodi was installed. A clear hint that something is wrong is high CPU usage, a common indicator of cryptocurrency mining operations.

This was the second malware campaign discovered targeting Kodi users and the Kodi add-ons system. The first came to light in early 2017, when someone used Kodi add-ons to infect users with a DDoS bot.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Editorial standards