A fake Google Translate app installed a crypto miner on over 100,000 PCs.
For more than three years, cryptocurrency mining malware has been impersonating legitimate programs, such as Google Translate.
Mining the Monero crypto
In a report published Monday by Check Point Research (CPR), a research team revealed that cryptocurrency mining malware has infected hundreds of thousands of computers. Its purpose was to mine the cryptocurrency Monero (XMR).
Concretely, the malicious program, “malware” in English, invades PCs through counterfeit desktop versions of popular applications. For example, YouTube Music, Google Translate or Microsoft Translate.
With the first infection occurring in 2019, the malware has managed to operate in the shadows for several years. Its design allows the installation of the cryptocurrency mining malware to be delayed for several weeks after the initial software download. Thus, the installation process is carried out in several stages, launched each time the PC is restarted. This process takes several weeks and the computer starts downloading the encrypted file 15 days after downloading.
According to CPR, the success of this malware is linked to its listing on popular software download sites such as Softpedia and Uptodown. The latter offered counterfeits under the publisher name Nitrokod INC and for some, they even classified the software as “safe”. A label that aims to be reassuring for users. As an illustration, the fake desktop version of Google Translate on Softpedia, had nearly a thousand reviews, with an average rating of 9.3 out of 10. And this, while Google does not have a version of official office for this program.
Get rid of the software
In all, the malware infected more than 100,000 computers across 11 countries around the world. To clean and save an infected machine, here are the indications of the report:
- Delete the following files on system32: any file starting with chainlink and nniawsoykfo.exe, powermanager.exe
- Delete the update device: to do this, you must delete the C:\ProgramData\Nitrokod folder.
- Delete malicious scheduled tasks: InstallService\1, InstallService\2, InstallService\3, InstallService\4
Follow Geeko on Facebook, Youtube and Instagram to not miss any news, tests and tips.