Cryptojacking campaign targets add-ons for popular streaming app Kodi

The criminal act of secretly stealing a target’s computing power to mine cryptocurrency isn’t quite as en vogue today as it was a year ago — due in part to cryptocurrency’s conspicuous downward turn in price, the practice isn’t wildly profitable — but the illegal practice carries on.

Researchers at Slovakian cybersecurity firm ESET discovered that add-ons for the popular open source media player Kodi were part of a cryptojacking campaign extending back to at least December 2017.

The malware was also added to the popular Bubbles and Gaia add-on repositories. As users updated their repositories, the malware continued to spread across the ecosystem.

“It is the second publicly known case of malware being distributed at scale via Kodi add-ons, and the first publicly known cryptomining campaign launched via the Kodi platform,” researcher Kaspars Osis wrote.

The Kodi platform also people to connect to different repositories, which offer app-like “add-ons” where users can stream all kinds of content, from TV to movies to other online media.

XvBMC was a popular repository for third-party Kodi add-ons until it was closed in August over a copyright fight. It was also, Osis discovered, at the heart of a cryptojacking campaign targeting Linux and Windows users in which users unknowingly mined the cryptocurrency Monero and sent the proceeds to an unknown beneficiary. There was no malware found targeting Android or macOS devices.

The campaign yielded 62.57 XMR which is equivalent to at least $7,100 USD as of Sept. 14 prices. Monero is currently worth $113 per coin, about one-fifth of its top price in January 2018.

The cryptojacking is one of the few known instances in where repositories or add-ons have been used maliciously. In February 2017, a popular add-on pulled machines into a botnet that was used for DDoS attacks.