Spoofed Google Translate App Sneakily Installs Monero Mining Malware on Over 1 Lakh PCs

A crypto mining malware, disguised as a Google Translate app, has come to light recently for having forayed into thousands of computers. As per a study by Check Point Research (CPR), this malware called the ‘Nitrokod' has been created by a Turkey-related entity as a desktop application for Google Translate. Several people have ended up downloading this app on their PCs in the absence of Google's official desktop app for Translate services. This app, once installed, later establishes elaborate crypto mining operation set-up on the infected PCs.

Once the app is downloaded on a computer, the malware installation process is triggered via a scheduled task mechanism. Upon completion, this malware puts in place a sophisticated mining set-up for the Monero cryptocurrency, which is based on the energy-intensive proof-of-work (PoW) mining model.

This gives the controller of this campaign, hidden access to the infected computers to scam users and later damage the machines.

“After the malware is executed, it connects to its C&C server to get a configuration for the XMRig crypto miner and starts the mining activity. The software can be easily found through Google when users search ‘Google Translate Desktop download'. The applications are trojanised and contain a delayed mechanism to unleash a long multi-stage infection,” CPR said in its report.

As for now, PCs across at least eleven nations have been compromised via Nitrokod malware that has been in circulation since 2019.

CPR has posted updates and alerts about this crypto mining campaign on Twitter.

In recent times, the crypto sector has become a popular means for scamming among cyber criminals.

Scammers have been using the public trust on popular tech brands like LinkedIn, Twitter, and Google to fish out their victims and strike them.

Crypto scams via ‘unicode letters' as well as ‘honeypot accounts' have also increased in frequency in recent times, cyber researcher Serpent noted in his Twitter thread.

In the former, scammers replace URLs to legitimate sites with infected ones created by them. Characters in the infected URLs are made to look like the ones in the real links. Once the target enters the fake website and gives away their login information, their assets come closer to being under the control of the scammer, who eventually drains it off the wallet.