Listening to music might leave you hacked.

Music Player is a daily used application for most of people around the world, with a various types and providers. One of the widely used music players is Kodi, an open source application that runs on multiple Operating Systems(cross-platform).
Recently security researchers discovered that Kodi users are more likely to be infected with a cryptocurrency mining malware; due to installing add-on from nonofficial repositories.
The add-on “script.module.simplejson” altered by cyber-criminals and uploaded to nonofficial repositories is still considered a legitimate add-on; due to inadequate verification system which only uses the version number to make the update.
Victims can end up running the cryptominer in one of three ways:
  1. Adding the malicious repository URL to Kodi and once they update their add-ons the malicious add-on is installed.
  2. Installing a pre-compiled Kodi package that already contains the malicious URL and once they update the add-ons it will be installed.
  3. Installing a pre-compiled Kodi package that already contains the add-on with no URL; this means that the add-on can’t get further updates but once the miner is installed it will persist and get updates.
According to ESET’s telemetry, the top five countries affected with this malware are:
  1. The United States
  2. Palestine Occupied Territories 
  3. The United Kingdom
  4. Greece
  5. Netherlands

How it works:

  1. Once the victims add the malicious repository to their Kodi installation, the repository serves an add-on called “script.module.simplejson” to replace a legitimate add-on used by many other add-ons.
  2. As mentioned above the update verification system is inadequate because it only checks the version number the malicious repositories provide the malicious add-on with a higher version number.
  3. The only modification is in the metadata, an additional requirement line in addon.xml file:
    <import addon="script.module.python.requests" version="2.16.0" >
    which tells Kodi to download and install the add-on “script.module.python.requests”, version 2.16.0 or higher, which can be only provided by the malicious repository.
  4. That module is actually a python code to download the appropriate downloader binary module, which takes the part of downloading and installing the cryptominer on the device and executes the self-removal routine If the installation of the cryptominer is successful.

The configuration for the cryptominer is as follows:
Am I infected?
You can use any anti-malware to scan your PC to find out if your PC has been infected or not.


Although the well known repositories that spread the malicious add-on has been closed or cleaned, it doesn’t mean that the add-on or the malware itself has reached the end of its life. The security researchers say that the add-on and the malware are still under development. Also this operation has revealed a weakness in the way Kodi was developed in, since Kodi is a cross-platform application it exposed multiple systems to vulnerabilities and two of them were targeted(Linux and Windows). Last but not least, to protect yourself from being a victim, use the official repositories and a good well-known antivirus.

Post a Comment