A dangerous new hacking practice has been detected — the use of the of Kodi media player for distributing malware. A lot of users running the open-source software are at risk of becoming victims of a global cryptomining campaign according to a new report.
Kodi Media Player can Deliver Dangerous Malware
The well-known Kodi media player which is widely installed by users and available on many smart devices can pose a serious security risk. According to a new report posted by experts deployed installations can be abused to spread various malware, including cryptocurrency miners. The source of infections is the ability to add add-on repositories which offer plugins, skins and updates that add functionality to the bare Kodi setup. On the Internet there are many guides, Youtube videos and forums that give out instructions on personalizing and customizing the Kodi players with various functions. Malicious users can easily post elaborate such guides with the malicious repositories.
There are three main ways that the malware operators may abuse Kodi:
- The criminals can guide the criminals into adding an external plugin repository containing a contaminated update. The malware code will be installed once the users allow the updates to run.
- A pre-made Kodi instance is installed. The malicious code may already be placed in them or include the malicious repository link so that upon running the virus code will be deployed automatically.
- A ready-made Kodi build containing the malicious add-on but no link to the repository. A persistent installation will follow.
So far most of the infections target the following countries: Israel, Greece, United States, the Netherlands and the United Kingdom. The origins of the Kodi malware families were traced down to a now defunct repository. Another malicious repository which was found to spread virus code has since changed and at this moment is safe for use.
The analysis of the Kodi malware code shows that the downloaded payloads are based on Python scripts. This will trigger a payload download which pulls a cryptocurrency miner. The script will then check if the malicious file has been dropped successfully and then delete the payload dropper. Cryptocurrency miners are a common malware type which is composed of several components. The primary aim is to take advantage of the available system resources in order to carry out complex calculations. When the results are reported to the relevant servers digital currency will be wired to the hacker operators.
The researchers point out that the scripts were made by a knowledgeable hackers. An example action is the inclusion of a specific operating system check — at the moment only Windows and Linux are supported. When a compatible system is found the code will connect to a a predefined hacker-controlled server serving the main infection component. Both the Windows and Linux strains are written to the system folders.
Users can check if their systems are infected by miners by monitoring their system usage. Any unusual processor, graphics card or memory load can signal an infection. Users can read the original report here.