Add-ons for open-source media player Kodi have been found bundled with cryptomining malware that targets Windows and Linux users, according to details of a soon-to-be-published report.

ZDNet, referencing a report from security firm ESET spol s r.o.,  said analysts have found at least three popular repositories of Kodi add-ons spreading a malware strain that secretly mined cryptocurrency on users’ computers.

Kodi, previously known as XBMC, while completely legal to use, has surged in popularity thanks to add-ons that give users access to pirated content, including illegal streamed video and live TV services such as pay-per-view fights.

The cryptomining code was found in add-ons offered via three add-on repositories — Bubbles, Gaia, and XvBMC — although the report noted that all three are currently offline due to copyright infringement complaints.

The researchers estimated that so far, those behind the campaign have infected over 4,700 Kodi installations and generated more than 62 Monero coins, worth nearly $7,000. They noted that “there is no reliable way of knowing if a user of those three add-on repositories has been infected.”

The targeting of Windows and Linux alone does look odd in that the majority of Kodi users use the plugins via so-called “Kodi Boxes” that run Android.

Rod Soto, director of security research at JASK Inc., told SiliconANGLE that “this is an interesting attack vector as the Kodi media player is usually present across many platforms – from computers to other IoT devices.”

In addition, Soto noted that “those using the software don’t usually check the code and simply download attractive add-ons, such as ones that give users access to TV channels not available from mainstream providers – making them widely used. This campaign is another example of how criminals constantly find creative ways of embedding malicious payloads for cryptomining purposes.”

Nadav Avital, threat research manager at Imperva Inc., expanded on that theme, noting that cybercriminals are constantly looking to expand their targets to make more money.

“In the past, we’ve seen rogue cryptominer malware infecting browsers, databases, management systems, cache systems and more,” Avital said. “Thus, it is not surprising that cybercriminals are targeting yet another platform.”

Image: Kodi