If you downloaded a Google Translate desktop app, it’s probably cryptojacking malware

A hot potato: There is no native Google Translate app for desktop computers, but searching for one may yield results from freeware websites. Apps posing as Google Translate and various other services are part of a scam designed to deliver crypto-mining malware, which goes to extensive lengths to hide from multiple security protocols.

This week, IT security group Checkpoint Research (CRP) released a report on the discovery of a cryptomining malware campaign hiding behind legitimate-looking apps, including Google Translate. Programs download malware while performing their advertised functions to gain users’ trust.

Researchers found malware from Turkish developer Nitrokod on popular software download sites such as Softpedia and Uptodown, which marked it as safe. The rogue programs include desktop versions of Google Translate, Yandex Translate, Microsoft Translator, YouTube Music, an mp3 downloader, and an auto-shutdown application.

Users who downloaded any of these programs should uninstall them as soon as possible and use the official web-based or mobile versions instead. None of these services have any legitimate desktop applications, which makes the Nitrokod versions appear to be the only ones ranking high in search results.

Nitrokod designed the malware to appear legitimate after installation. The group’s Google Translate app, for example, looks and works like the official website. That’s because Nitrokod created it by converting the Google page through the Chromium Embedded Framework. Also, apps don’t start acting suspicious right away. Instead, they wait until the user has rebooted the system at least four times on four separate days, which could take weeks, depending on the user. Checkpoint says this helps them avoid Sandbox detection.

The malware then removes traces of its installation, making it difficult for users to determine the source of suspicious activity. Nitrokod software also checks for the presence of security software. It also won’t start the mining program if it detects signs that it’s running in a virtual machine, a precaution against malware. After all these steps, the malware starts using the victim’s computer to mine cryptocurrencies.

TechSpot and other tech news websites often host secure downloads of many useful utilities, including the Android version of Google Translate. Searching in those sections is a safe way to find apps without finding malware.

Leave a Comment