The Kodi Open-Source Media player has been modified with a malicious script that downloads crypto mining software on Windows and Linux based distributions. The operations may have begun since December 2017 using a ‘script.module.simplejson’ add-on hosted by Bubbles Repository.
The Kodi add-ons are available from multiple repositories based on the research conducted by ESET. The XvBMC repository was shut down recently due to copyright infringement, however there are many repositories that are offering the same tampered file.
There are many nations affected by these add-ons, such as the United States, Israel, Greece and the United Kingdom, however it would seem that the Netherlands were most affected. The ‘script.module.simplejson’ is the legitimate name of the Kodi add-on however bad actors have taken advantage of this Kodi update system and released the add-on with a higher version number. The malicious code has Python injected into the application which executes the crypto miner, once the malware has been successfully installed the Python code that installed the malware deletes itself.
“The code is clearly written by a developer with a good knowledge of Kodi and its add-on architecture. The script identifies which OS it is running on (only Windows and Linux are supported, Android and macOS ignored), connects to its C&C server, and fetches and executes an OS-appropriate binary downloader module,” the researchers noted.
ESET believe that users who use third party repositories with Kodi have a higher chance of being compromised by the malware.
Take your time to comment on this article