Kodi Add-ons Launch Cryptomining Campaign
(Sep 13, 2018)
The open-source “Kodi” media player software was found to have a repository for third-party add-ons, called “XvBMC,” was part of a cryptomining campaign dating back to December 2017. The repository, which was shut down in August 2018, was likely inadvertently distributing add-ons that contained cryptomining malware that mined the “Monero” cryptocurrency. Kodi users were infected with the cryptomining malware either by adding a URL of a malicious repository to download add-ons, or installed a version Kodi that had a malicious repository already installed. The top five countries affected by this cryptomining campaign from most to least are the U.S., Israel, Greece, the U.K., and the Netherlands
Recommendation: Any free software should be reviewed carefully prior to download in regards to what permissions the software will request upon installation. In addition, this story shows the potential risk in using third-party stores for additional content. Free software in third-party stores has more risk of possible malicious activity because such software may not have a team dedicated to keeping the software updated to address vulnerabilities and fix bugs.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.