Listening to music might leave you hacked.

Music Player is a daily used application for most of people around the world, with a various types and providers. One of the widely used music players is Kodi, an open source application that runs on multiple Operating Systems(cross-platform).

Recently security researchers discovered that Kodi users are more likely to be infected with a cryptocurrency mining malware; due to installing add-on from nonofficial repositories.

The add-on “script.module.simplejson” altered by cyber-criminals and uploaded to nonofficial repositories is still considered a legitimate add-on; due to inadequate verification system which only uses the version number to make the update.

Victims can end up running the cryptominer in one of three ways:

1. Adding the malicious repository URL to Kodi and once they update their add-ons the malicious add-on is installed.
2. Installing a pre-compiled Kodi package that already contains the malicious URL and once they update the add-ons it will be installed.
3. Installing a pre-compiled Kodi package that already contains the add-on with no URL; this means that the add-on can’t get further updates but once the miner is installed it will persist and get updates.

According to ESET’s telemetry, the top five countries affected with this malware are:

1. The United States
2. Palestine Occupied Territories 
3. The United Kingdom
4. Greece
5. Netherlands

How it works:

1. Once the victims add the malicious repository to their Kodi installation, the repository serves an add-on called “script.module.simplejson” to replace a legitimate add-on used by many other add-ons.
2. As mentioned above the update verification system is inadequate because it only checks the version number the malicious repositories provide the malicious add-on with a higher version number.
3. The only modification is in the metadata, an additional requirement line in addon.xml file:
   <import addon="script.module.python.requests" version="2.16.0" >
   which tells Kodi to download and install the add-on “script.module.python.requests”, version 2.16.0 or higher, which can be only provided by the malicious repository.
4. That module is actually a python code to download the appropriate downloader binary module, which takes the part of downloading and installing the cryptominer on the device and executes the self-removal routine If the installation of the cryptominer is successful.
   
   
   
   
   

The configuration for the cryptominer is as follows:

{“monero”:{“default”:{“wallet”:”49WAk6TaCMX3HXN22nWPQAfBjP4J3ReUKg9tu3FoiPugcJs3fsnAvyGdrC41HZ4N6jcHEiwEGvH7z4Sn41PoZtLABFAVjm3″,”password”:””,”name”:””,”email”:””,”weight”:1,”format”:{“rig”:””,”address”:”%w%.%n%/%e%”,”password”:”%p%”}},”pools”:[{“host”:”xmr-us-east1.nanopool.org:14444″},{“host”:”xmr-eu1.nanopool.org:14444″},{“host”:”xmr-asia1.nanopool.org:14444″}]}}

Am I infected?

You can use any anti-malware to scan your PC to find out if your PC has been infected or not.

Conclusion:

Although the well known repositories that spread the malicious add-on has been closed or cleaned, it doesn’t mean that the add-on or the malware itself has reached the end of its life. The security researchers say that the add-on and the malware are still under development. Also this operation has revealed a weakness in the way Kodi was developed in, since Kodi is a cross-platform application it exposed multiple systems to vulnerabilities and two of them were targeted(Linux and Windows). Last but not least, to protect yourself from being a victim, use the official repositories and a good well-known antivirus.