Sneaky fake Google Translate app installs crypto miner on 112,000 PCs

Published at: Sept. 1, 2022

Crypto mining malware has been sneakily invading hundreds of thousands of computers around the world since 2019, often masquerading as legitimate programs, such as Google Translate, new research has found. 

In an Aug. 29 report by Check Point Research (CPR), a research team for American-Israeli cybersecurity provider, Check Point Software Technologies, the malware has been flying under the radar for years, thanks partly to its insidious design which delays instaling the crypto mining malware for weeks after the initial software download.

.@_CPResearch_ detected a #crypto miner #malware campaign, which potentially infected thousands of machines worldwide. Dubbed ‘Nitrokod,” the attack was initially found by Check Point XDR. Get the details, here: https://t.co/MeaLP3nh97 #cryptocurrecy #TechnologyNews #CyberSec pic.twitter.com/ANoeI7FZ1O

— Check Point Software (@CheckPointSW) August 29, 2022

Linked to a Turkish-based-speaking software developer claiming to offer "free and safe software," the malware program invades PCs through counterfeit desktop versions of popular apps such as YouTube Music, Google Translate and Microsoft Translate.

Once a scheduled task mechanism triggers the malware installation process, it steadily goes through several steps over several days, ending with a stealth Monero (XMR) crypto mining operation being set up.

The cybersecurity firm said that the Turkish-based crypto miner dubbed ‘Nitrokod’ has infected machines across 11 countries.

According to CPR, popular software downloading sites like Softpedia and Uptodown had forgeries available under the publisher name "Nitrokod INC". 

Some of the programs had been downloaded hundreds of thousands of times, such as the fake desktop version of Google Translate on Softpedia, which even had nearly a thousand reviews, averaging a star score of 9.3 out of ten, despite Google not having an official desktop version for that program.

According to Check Point Software Technologies, offering a desktop version of apps is a key part of the scam.

Most programs offered by Nitrokod don't have a desktop version, making the counterfeit software appealing to users who think they've found a program unavailable anywhere else.

According to Maya Horowitz, VP of Research at Check Point Software, the malware riddled fakes are also available "by a simple web search".

"What's most interesting to me is the fact that the malicious software is so popular, yet went under the radar for so long."

As of writing, Nitrokod's imitation Google Translate Desktop program remains one of the main search results.

Design helps avoid detection

The malware is particularly tricky to detect, as even when a user launches the sham software, they remain none the wiser as the fake apps can also mimic the same functions that the legitimate app provides.

Most of the hacker's programs are easily built from the official web pages using a Chromium based framework, allowing them to spread functional programs loaded with malware without developing them from the ground up.

Related: 8 sneaky crypto scams on Twitter right now

So far, over one hundred thousand people across Israel, Germany, the U.K., America, Sri Lanka, Cyprus, Australia, Greece, Turkey, Mongolia, and Poland have all fallen prey to the malware.

To avoid getting scammed by this malware and others like it, Horowitz, says several basic security tips can help reduce the risk.

"Beware of lookalike domains, spelling errors in websites, and unfamiliar email senders. Only download software only from authorised, known publishers or vendors and ensure your endpoint security is up to date and provides comprehensive protection."

Tags
Related Posts
Dingo crypto token flagged as scam over 99% transaction fee backdoor
The research arm of cybersecurity software firm Check Point has flagged the Dingo Token (DINGO) as a “potential scam” after reportedly discovering a smart contract function that has been used to manipulate transaction fees. In a Feb. 3 blog post, Check Point Research (CPR) said it looked into the code behind the Dingo Smart Contract, discovering a backdoor function "setTaxFeePercent," which can change the contract's buy and sell fee up to 99%. This is despite the project’s whitepaper stating that there is only a 10% fee per transaction. According to CPR, this essentially allows the project’s owner to withdraw up …
Blockchain / Feb. 6, 2023
‘No more rug pulls’: Project eliminates human involvement from token distributions
“A Polkadot project with a difference” says it is restoring trust and simplicity to complex token ecosystems and eliminating the centralized distribution models that can render the power of blockchain technology useless. Polkalokr offers a multi-chain token escrow platform that can be integrated into existing DeFi protocols, ensuring that network participants have full control over how tokens are distributed and treasuries are managed. The project’s goal is to remove human reliance and bring trust to token economies through governance-as-a-service — all while delivering security, scalability and a user-friendly experience. Explaining why Polkalokr is needed, the developers behind this initiative said: …
Technology / April 6, 2021
Kraken to delist Monero for UK customers by the end of November
In an email quoted by Reddit users, Kraken, the world's eight largest cryptocurrency exchange by trading volume, announced it would be delisting privacy coin Monero (XMR) in compliance with regulations in the United Kingdom. The platform will cease all XMR trading activities, set XMR wallets to withdraw-only, and force-liquidate any existing XMR margin positions after the 26th of November. Through advanced cryptography, privacy coins like Monero obscure participants' public wallet addresses and payment amounts when their transactions appear on the blockchain, making it improbable, in the context of current technology, for forensic entities such as Chainalytics to digitally trace the …
Technology / Nov. 19, 2021
4% of crypto whales are criminals and they have $25B between them: Chainalysis
Chainalysis data shows that 4068 criminal whales (roughly 4% of all whales) are hodling more than $25 billion worth of cryptocurrency between them. The blockchain analytics firm defines criminal whales as any private wallet that holds more than $1 million worth of crypto with over 10% of the funds received from illicit addresses tied to activity such as scams, fraud and malware. The data is from the “Criminal Balances” section of the Crypto Crime Report that explores criminal activity on the blockchain over 2021 and early 2022. The wide-ranging report also covers topics such as Ransomware, Malware, Darknet markets and …
Blockchain / Feb. 17, 2022
Mastercard launches new crypto fraud protection tool
The financial service provider Mastercard will launch a new crypto service related to risk management on Tuesday Oct. 3. Mastercard’s new service, Crypto Secure, is aimed to help banks find and prevent fraud on crypto merchant platforms. Crypto Secure combines the usage of artificial intelligence, blockchain data and public records of crypto transactions, along with other sources, to determine crime-related risks of crypto exchanges within the Mastercard network. Mastercard already has a similar service with fiat currency transactions available to banks. The president of cyber and intelligence business for Mastercard, Ajay Bhalla, said this development helps its partners stay compliant …
Adoption / Oct. 4, 2022