News

Fake Google App Mining Crypto From Windows PCs With Malware Since 2019 Detected

A fake Google App has been detected that hackers have been using since 2019 to infect thousands of Windows PC across nations to mine crypto without the users’ permission

Cyber crime
info_icon

In a major cybersecurity breach unearthed recently, hackers have since 2019 used a fake Google Translate App to infect thousands of Windows PCs with malware to illegally mine crypto without the user’s permission.

This cryptojacking malware has been created by a Turkish company called Nitrokod. The malware mines cryptocurrency by using the hosts’ graphics processing unit (GPU), without the users’ permission. It has been reported to have infected thousands of windows computers worldwide, according to a report by cybersecurity research firm, Check Point Research. This process uses a significant amount of power to illegally mine crypto without the user’s permission. 

“The malware is dropped from applications that are popular, but don’t have an actual desktop version, such as Google Translate, keeping the malware versions in demand and exclusive,” Check

Point malware analyst Moshe Marelus wrote in a report on Monday.

How Are Users Affected?

After the user has installed the malware-infected application on the computer, the app installs actual

Google translate, and using chromium code, translates the Web page from the actual Google Translate program. This provides hackers to give functionality to their malware-infected programs. A scheduled update check is sent every time the system starts up.

Then, the hackers wait patiently for one month for installing the mining software, so that the user does not detect any unusual activity in power usage. 

First, a post-installation message about the information of the infected machine is sent to the Nitrokod domain. Then, a scheduled update checker is installed, which checks with the Nitrokod domain every time the system starts up.

After the user has restarted the system four times, the fourth stage dropper chainlink1.07.exe is extracted from another encrypted RAR file. This way, the hacker avoids the Sandbox detection done by the antivirus software.

Then, the stage 4 dropper is responsible for creating four tasks. The first one is to instal Dropper 5, which checks the system for certain security firewalls. If it detects the firewalls are up, it informs the hackers’ servers. 

Then, all the incoming files are dropped in a temporary folder, while the Windows Defender activity is excluded from the temporary folder. Then, the mining malware is dropped in the temporary folder, which mines crypto without the users’ permission. This program is named as powermanager.exe.

Affected Users

The victims primarily belong to the United Kingdom, the United States, Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia, and Poland.

The Trojan campaign involves disseminating malware using free programmes available on well-known Websites like Softpedia and Uptodown, the report further said. 

“Using an interesting strategy, the malware delays execution for weeks while keeping its dangerous behaviour distinct from the downloaded false software. With the help of download websites like Softpedia, Nitrokod has been effective in getting its infected code out there,” the report said. 

Incidentally, the Nitrokod Google Translator programme has been downloaded over 112,000 times, since December 2019, according to Softpedia.

In addition to Google Translate, Nitrokod also uses MP3 downloading apps and other translation software, such as Microsoft Translator Desktop. On certain websites, rogue software will exclaim that they are 100 per cent clean, while in reality, they contain mining malware.