This week, IT security organizationsCheckpoint Research (CRP)A report has been released saying it has uncovered crypto-mining malware activity hidden behind legitimate-looking apps, including Google Translate. These programs download malware to gain users’ trust while performing their advertising functions.
Researchers found malware from Turkish developer Nitrokod on popular software download sites such as Softpedia and Uptodown, suggesting it was safe. Fraud programs include desktop versions of Google Translate, Yandex Translate,MicrosoftTranslator, YouTube Music, mp3 downloader and auto-close apps.
Users who download any of these programs should uninstall them as soon as possible and use the official web-based or mobile version instead. None of these services have legitimate desktop apps, which makes Nitrokod’s version appear to be the only one that ranks high in search results.
Nitrokod designs malware to appear legitimate once installed. For example, the organization’s Google Translate app looks and works similarly to the official web page. That’s because Nitrokod builds it by transforming Google’s pages through the Chromium Embedded Framework. Also, these apps don’t start behaving suspiciously right away. Instead, they wait until the user resets the system at least four times in four days, which can take weeks, depending on the user. Checkpoint says this helps them avoid sandbox detection.
Afterwards, the malware removes traces of its installation, making it harder for users to identify the source of suspicious activity. Nitrokod’s software also checks for the presence of security software. It also won’t start the mining program if it detects signs that it’s running on a virtual machine — a precaution against malware. After all these steps, the malware starts using the victim’s computer to mine cryptocurrency.