Jump to content
New Members Read more... ×
Sign in to follow this  

Kodi Addons Linked to Malicious Cryptomining Campaign

Recommended Posts


XvBMC-NL, a Kodi addon repository recently shut down by BREIN, has been implicated in the spread of a malicious cryptocurrency miner. A report from security firm ESET says that the repo was probably unwittingly involved after the malware spread from third-party add-on repositories Bubbles and Gaia. Windows and Linux-based Kodi users are affected.

kodi-1.pngLast month it was reported that a Netherlands-based repository, which contained several popular Kodi addons, had been shut down by anti-piracy group BREIN.

The Dutch developer and administrator of XvBMC-NL was visited by bailiffs in July and soon after the repository shut down. BREIN offered to settle the matter for 2,500 euros as long as the admin known as ‘Z’ signed an abstention agreement.

Months earlier, however, the XvBMC-NL repo was an unwitting participant in a campaign to infect Kodi users with cryptocurrency-mining malware, security firm ESET reports.

“According to our research, the malware we found in the XvBMC repository was first added to the popular third-party add-on repositories Bubbles and Gaia (a fork of Bubbles), in December 2017 and January 2018, respectively,” ESET writes.

“From these two sources, and through update routines of unsuspecting owners of other third-party add-on repositories and ready-made Kodi builds, the malware spread further across the Kodi ecosystem.”

ESET reports that the malware has a multi-stage architecture and uses techniques to hide the fact that the cryptominer came from a malicious addon. The miner, which is Monero-based, runs on Windows and Linux only, a relief to Android and macOS users who appear to be unaffected.

The three potential infection routes appear to be fairly cunning, ESET notes.

1. [Users] add the URL of a malicious repository to their Kodi installation so as to download some add-ons. The malicious add-on is then installed whenever they update their Kodi add-ons.

2. [Users] install a ready-made Kodi build that includes the URL of a malicious repository. The malicious add-on is then installed whenever they update their Kodi add-ons.

3. [Users] install a ready-made Kodi build that contains a malicious add-on but no link to a repository for updates. They are initially compromised, though receive no further updates to the malicious add-on. However, if the cryptominer is installed, it will persist and receive updates.

Further analysis by ESET shows that the top five countries affected by the threat are the United States, Israel, Greece, the United Kingdom and the Netherlands.

With the Bubbles repo now down, that is no longer a source for the malware. Gaia, ESET reports, is no longer serving the malicious code either. However, Kodi users who were infected could still have the malware on their machines and there’s a risk that other repos and Kodi builds could be distributing the code, “most likely” without their knowledge.


Timeline of the attack, as per ESETTimeline_edit-1024x800-e1536859834156.pn


A very detailed technical analysis of the attack has been published by ESET along with instructions on how users can discover if they’re affected.

“To check if your device has been compromised, scan it with a reliable anti-malware solution. ESET products detect and block these threats as Win64/CoinMiner.II and Win64/CoinMiner.MK on Windows and Linux/CoinMiner.BC, Linux/CoinMiner.BJ, Linux/CoinMiner.BK, and Linux/CoinMiner.CU on Linux,” the company reports.

“On Windows you can use the ESET Free Online Scanner, and on Linux the free trial of ESET NOD32 Antivirus for Linux Desktop, to check your computer for the presence of these threats and remove anything that is detected. Existing ESET customers are protected automatically.”

While the attack is undoubtedly serious, at the time of writing its reach appears to be limited. By examing the malware authors’ Monero wallet, ESET estimates that a minimum of 4,774 users are infected. Between them they have unwittingly generated around 5,700 euros or $6,700 for the attackers.

As ESET notes, Kodi malware is very rare. Aside from the case detailed above and the DDoS attack carried out briefly by an addon and reported here on TF, no other evidence of malware being distributed via Kodi addons has been reported.



Share this post

Link to post
Share on other sites

Eset may of found it but I told every one about this months ago and there software failed to find or remove the infected addon it only removed the cryptocurrency-mining malware  so they was no help and this infected addon is not  in any repo i know of as the opening post  explains it was removed  and the other repos that had it closed down.  But it really happened because i posted about it on here before.It took them  long enough to tell us what addon caused it and i bet there still a lot of boxes still infected were they never do a clean install of kodi  like i do from time to time. It was in the wild since 2017.  But i never used Bubbles i  spotted it from the repo were they removed it in april. 2018. They only one that may had meant to do it was bubbles  but the rest of therm got it from him and didn't know, but i don't know if bubbles made the addon  or did he get it from another repo.  :towel:


Here is the original post



Gaia is a fork of Bubbles  , They dont have the same dev, the reason they got infected is when they forked it they moved all his addons into too there repo, they removed that infected addon in April when they deleted the repo  when they were having problems with  Github . When they fixed it they added the clean version of the addon from kodi.tv  instead of the one from bubbles repo that was infected..


But the way it looks like  it was Bubbles who done it , who is is long gone now and he was always a very anonymous dev anyway he never fooled around with Social Media or it may of been some hacker acting like bubbles that hijacked his repo  and done it and acted like bubbles  on the last update because the addons or the repo  had not updated in a long time and then it did and then it shut down..But we will never really know I guess.

Edited by steven36

Share this post

Link to post
Share on other sites

Wonder what the ratio is of websites that mine client side through javascript without consent vs those that don't yet?


The hood may never know....

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.