Sneak fake Google Translate app installs cryptomines on 112,000 PCs

by · August 31, 2022

Cryptomining malware has stealthily invaded hundreds of thousands of computers around the world since 2019, often masquerading as legitimate programs such as Google Translate, new research has found.

In an Aug. 29 report by Check Point Research (CPR), a research team for US-Israeli cybersecurity vendor Check Point Software Technologies, the malware has flown under the radar for years, thanks in part to its sneaky design that delays the installation of crypto mining malware for weeks after the initial software download.

Linked to a Turkish-speaking software developer that claims to offer “free and secure software”, the malware invades PCs through fake desktop versions of popular apps such as YouTube Music, Google Translate and Microsoft Translate.

When a scheduled task mechanism triggers the malware installation process, it proceeds steadily through several steps over several days, culminating in the setup of a stealth Monero (XMR) cryptominer.

The cyber security firm said the Turkish-based crypto miner called ‘Nitrokod’ has infected machines in 11 countries.

According to CPR, popular software download sites such as Softpedia and Uptodown had counterfeits available under the publisher name “Nitrokod INC”.

Some of the programs had been downloaded hundreds of thousands of times, such as the fake desktop version of Google Translate on Softpedia, which even had almost a thousand reviews, with an average star rating of 9.3 out of ten, despite Google not having a official desk. version for that program.

Screenshot by Check Point Research of the alleged fake app

According to Check Point Software Technologies, offering a desktop version of apps is a key part of the scam.

Most of the programs offered by Nitrokod do not have a desktop version, which makes the counterfeit software appealing to users who believe they have found a program unavailable elsewhere.

According to Maya Horowitz, VP of Research at Check Point Software, the malware fakes are also available “with a simple web search.”

“What’s most interesting to me is the fact that the malware is so popular, yet went under the radar for so long.”

At the time of writing, Nitrokod’s copycat Google Translate Desktop program is still one of the top search results.

Design helps avoid detection

The malware is particularly difficult to detect, as even when a user launches the fake software, they are left none the wiser as the fake apps can also mimic the same features that the legitimate app provides.

Most of the hacker’s programs are easily built from the official websites using a Chromium-based framework, allowing them to distribute functional programs loaded with malware without developing them from scratch.

Related: 8 sneaky crypto scams on Twitter right now

So far, over a hundred thousand people across Israel, Germany, UK, America, Sri Lanka, Cyprus, Australia, Greece, Turkey, Mongolia and Poland have fallen victim to the malware.

To avoid being tricked by this malware and others like it, Horowitz says several basic security tips can help reduce the risk.

“Watch out for similar domains, misspellings on websites and unknown email senders. Only download software from authorized, known publishers or vendors and ensure your endpoint security is up-to-date and provides comprehensive protection.”