Cheated Google Translate app steals and installs Monero mining malware on over 1 lakh PCs

Polygon’s Chief Security Officer Urge Web3 Firms to Invest in Security Experts Amid Hack Spree

A crypto-mining malware, disguised as a Google Translate app, has recently come to light for infiltrating thousands of computers. According to a study by Check Point Research (CPR), the malware, named ‘Nitrokod’, was created by a Turkish-based organization as a desktop application for Google Translate. In the absence of Google’s official desktop app for translation services, many people have ended up downloading this app on their PC. This app, once installed, then installs an elaborate crypto mining operation set-up on the infected PC.

Once the app is downloaded to the computer, the malware installation process is triggered by a scheduled task mechanism. Once complete, the malware hosts a sophisticated mining set-up for the Monero cryptocurrency, based on an energy-intensive proof-of-work (PoW) mining model.

This gives the campaign’s controller, hidden access to infected computers to trick users and then damage the machines.

“Once the malware is executed, it connects to its C&C server to get the configuration for the XMRig crypto miner and starts mining activity. This software can easily be found by Google when users search for ‘Google Translate Desktop Download’. The applications are trojanized and have a delayed mechanism to release a long multi-stage infection,” CPR said in it. Report,

So far, PCs in at least eleven nations have been compromised by the Nitrokod malware that has been prevalent since 2019.

CPR has posted updates and alerts about this crypto mining campaign on Twitter.

In recent times, the crypto sector has become a popular medium for scams among cybercriminals.

Scammers are using public trust in popular tech brands like LinkedIn, Twitter and Google to find and target their victims.

Crypto scams using ‘unicode characters’ as well as ‘honeypot accounts’ have increased in frequency in recent times, cyber researcher Serp noted in his Twitter thread.

In the past, scammers change URLs to legitimate sites with infected sites created by them. Characters in infected URLs are made to look like real links. Once the target accesses the fake website and provides their login information, their assets are closer to being controlled by the scammer, who ultimately removes them from the wallet.


Please enter your comment!
Please enter your name here