Kodi add-ons used to distribute currency miners

Users of the Kodi media center may already know that the Netherlands-based repository for third-party add-ons, XvBMC, was recently shut down due to copyright violations.

Researchers at security company ESET have discovered that the repository was also part of a malicious cryptomining campaign dating back to December 2017. This is the second instance of Kodi being used for cryptojacking this year.

"According to our research, the malware we found in the XvMBC repository was first added to the popular third-party add-on repositories Bubbles and Gaia (a fork of Bubbles), in December 2017 and January 2018, respectively," says ESET's Kaspars Osis, writing on the WeLiveSecurity blog. "From these two sources, and through update routines of unsuspecting owners of other third-party add-on repositories and ready-made Kodi builds, the malware spread further across the Kodi ecosystem."

The malware has a multi-stage architecture and employs obfuscation measures to ensure that its final payload can't be easily traced back to the malicious add-on. Interestingly the cryptominer runs on Windows and Linux systems and mines the cryptocurrency Monero.

The top five countries affected by the threat, according to ESET's telemetry, are the United States, Israel, Greece, the United Kingdom and the Netherlands, which is not surprising as all these countries are found on the list of 'top traffic countries' for Kodi add-ons.

You can find out more including full details of how the malware works on ESET's WeLiveSecurity blog.