Run Kodi? You Might Be Infected with Coin-Mining Malware

Editor
Updated

I've told you how to install Kodi, but I've never been tempted to use it myself. Kodi has legitimate uses as a media server, but it's also a great way to, um, "borrow" video content you're supposed to pay for.

Credit: KodiCredit: Kodi

Kodi is also a security risk, as a newly uncovered malware campaign shows. If you installed certain Kodi add-ons between December 2017 and August 2018, there's a good chance your Windows or Linux PC was infected with malware that uses CPU cycles to mine cryptocurrency.

On the upside, the malware should be easy to get rid of with regular antivirus software. Of course, if you're already running Kodi, you probably don't want to pay for that either.

MORE: Best Free Windows Antivirus Software

This information comes from WeLiveSecurity, a blog run by Bratislava, Slovakia-based security firm ESET. The company sensed something was afoot in August when XvBMC, a Dutch Kodi add-on site, was shut down for infringing copyrights. ESET dug into the add-ons XvBMC hosted and found that at least two of them exposed users to a potentially nasty coin-mining operation.

The coin-mining software came via two other add-on repositories, Bubbles and Gaia. If you installed either one of these repositories in the past year or so, check your system for malware.

Even though the versions of Bubbles and Gaia corrupted with the malware are long gone, the malware itself is still doing just fine. ESET estimates at least 4,774 systems have the mining software up and running at present. The malware has generated 62.57 of Monero currency, about €5,700 or $6,700 at current rates — a pretty nice little sum for taking advantage of trusting videophiles.

How to clean your system

ESET claims that any "reliable anti-malware solution" should be able to get rid of the malware. Naturally, this includes ESET's own line of software — it even has a home Linux scanner.

But you might want to consider going one step further by removing Kodi altogether with a comprehensive uninstaller program (such as Revo Uninstaller), then reinstalling Kodi from scratch, just to make sure any infections are gone for good.

How the infection works

If you're curious how the malware into a Kodi add-on, it's actually rather clever, which may explain why it took nearly a year for anyone to notice. The crooks behind the scam modified legitimate versions of Bubbles and Gaia with a malicious Python script.

This script itself doesn't download any software, part of the reason it's so hard to detect. Instead, it modifies Kodi's auto-update feature, enabled by default on most systems. The auto-updater downloads another Python script, which determines whether Kodi is running on a Windows or Linux system. That script downloads the appropriate coin-mining software and then deletes itself, leaving Kodi free to run as normal.

It's important to remember that Bubbles and Gaia are not inherently dangerous. However, there are still an awful lot of mirrors for the two add-ons that contain the malware. If you do choose to select Bubbles and Gaia when you reinstall Kodi, make sure you're getting them from a reliable source. (Granted, because XvBMC turned out to be unreliable, other major sites may be compromised as well.)

You get what you pay for

Kodi is a versatile and interesting program that lets you do a lot more than most standalone streaming services. But it's also riskier to use. If infections of Kodi-modified devices like the Fire TV and the Apple TV have taught us anything, it's that compromising Kodi — and thousands of Kodi users — is not very difficult.

As an alternative, you could always set up a Plex server and pay for a Netflix subscription. It's a little bougie, I grant you, but it'll also keep your computer pretty safe.