We have some shocking and alarming news! Just yesterday, a group of security researchers called ESET exposed the developers behind the popular Gaia addon for having distributed cryptojacking malware that has affected certain Kodi users since December 2017.
Cryptojacking is a new form of virus through which infected devices are used to mine the privacy oriented cryptocurrency known as Monero. It has given hackers and script kiddies the ability to earn money from security breaches that would otherwise not necessarily earn them money.
The story is not particularly clear, but nothing ever is. It all started in December 2017 when an addon called Bubbles pushed an update which automatically installed the Monero mining malware to devices running Windows and Linux.
About a month later, the Bubbles addon shut down abruptly, informing users that a new project called Gaia would be taking over the codebase. Gaia continued spreading malware for about four months. They even continued pushing updates to the malware itself during that time.
Suddenly in April 2018, the developers deleted their original repository, only to recreate it minutes later with the same name and update address. Since GitHub tracks all code updates, deleting their repo and recreating it appears to have been an attempt to cover their tracks.
After recreating their repository, they pushed another update to finally remove the malware installation code from the Kodi addon itself. However, the cryptojacking malware was not removed from devices that had already been infected, and continues to run to this day.
They’re now making up excuses after having been exposed across some of the most respected tech news web sites including TorrentFreak, ZDNet and Tom’s Guide. The Gaia developers are claiming that they were not the developers of the Bubbles addon, and that when they forked the code, they did so without realizing it contained malware.
While Gaia’s excuses might convince less experienced Kodi users, it’s not fooling senior developers who bring up several very convincing arguments against them…
- If the malware was simply forked without them being aware, why did they continue to push updates to the malware itself over several months time?
- If they didn’t know about the malware, why did they suddenly remove it and delete their GitHub repository in order to make evidence of code changes disappear?
- If they are innocent as they claim, why didn’t they disclose the security breach to their users who had been infected, rather than cover it up almost six months?
- Gaia is based on Bubbles code, which is very bulky, inefficient and difficult to work upon. It’s unlikely that anyone other than the original developer would be able to continue working upon it the way they have.
Furthermore, it was only several weeks ago that we exposed the Gaia developers for having breached the privacy of their users by tricking them into turning their users devices into industrial scrapers for their paid service known as Orion.
For the record, users of Orion have overwhelmingly reviewed it as being a garbage waste of money. It just goes to show how little these developers care about the Kodi community we worked so hard to build, and how they only really care about profiting from it. Find a timeline of events, followed by removal instructions below…
Check If You’ve Been Infected
Only users running Windows and Linux need to worry. If you’re using another operating system such as Android, Mac, or iOS you can ignore this as you are not at risk.
Step 1: Click on the little settings cogwheel at the top left corner of your Kodi screen.
Step 2: Navigate to the System settings icon.
Step 3: At the bottom of the vertical menu bar, change the settings level to Advanced. It should display Standard by default.
Step 4: Select the Add-ons tab from the vertical menu bar.
Step 5: Click on the Manage dependencies function.
Step 6: Scroll down to the simplejson dependency towards the bottom of the listing.
Step 7: Take note of the version number at the far right of the row, if you have version 3.4.1 then you’ve likely been infected. However, version 3.4.0 is clean and virus free.
Cleaning Up the Infection
Preventing Future Threats
- Avoid “Kodi Builds”
- Run No-Coin for Kodi Regularly
- Install the Indigo Tool
- Follow us on Twitter
- Install a Good Antivirus
If we hear anything else, we’ll let you know. We have always concerned user safety and privacy to be a top priority and will do everything to prevent this kind of thing from happening anywhere in the Kodi ecosystem.