This week, IT security group Checkpoint Research (CRP) published a report on its discovery of a crypto mining malware campaign hiding behind legitimate-looking apps, including Google Translate. The programs download malware while performing their advertised functions to gain users’ trust. Researchers found the malware from Turkish developer Nitrokod on popular software download sites like Softpedia and Uptodown, which marked it as safe. The fraudulent programs include desktop versions of Google Translate, Yandex Translate, Microsoft Translator, YouTube Music, an mp3 downloader, and an auto-shutdown app. Users who downloaded any of these programs should uninstall them asap and use the official web-based or mobile versions instead. None of these services have legitimate desktop apps, which makes Nitrokod’s versions appear to be the only ones ranking high in search results.
Nitrokod designed the malware to appear legitimate after installation. The group’s Google Translate app, for example, looks and works like the official webpage. That’s because Nitrokod built it by converting Google’s page through Chromium Embedded Framework. Furthermore, the apps don’t start acting suspiciously right away. Instead, they wait until the user has reset the system at least four times on four separate days, which could take weeks, depending on the user. Checkpoint says this helps them avoid Sandbox detection. Afterward, the malware deletes traces of its installation, making it harder for users to determine the source of suspicious activity. Nitrokod’s software also checks for the presence of security software. It also won’t start the mining program if it detects signs it is running on a virtual machine — a precaution against malware. After all these steps, the malware begins using the victim’s computer to mine cryptocurrency. TechSpot and other tech news websites often host safe downloads of many helpful utilities, including the Android version of Google Translate. Searching those sections is a secure way to find apps without running into malware.