Skip to main content

This fake 'Google' app is infecting PCs with crypto mining software to make money off victims — here's how

Crypto mining malware
(Image credit: Getty/VectorStory)

Got Google Translate on your desktop? Watch out! The search-engine giant never released a desktop version of its ultra-popular language tool, so there's a good chance you have a fraudulent app masquerading as malware on your PC.

According to new Check Point Research (CPR) report, a cybercriminal campaign, dubbed Nitrokod, is masking crypto-mining software as the desktop version of Google Translate (as well as other legitimate-sounding apps) to secretly make money from unsuspecting victims.

That Google app may not be what you thought it was

When users search for "Google Translate Desktop download," the malicious link to the malware-infected software appears at the top of Google Search results (I've checked it myself and it's still there).

Fake Google Translate desktop app

Fake Google Translate desktop app (Image credit: Check Point Research)

After victims unknowingly download the malicious, phony Google Translate app, something interesting happens: the infection process doesn't occur right away. Instead, the cybercriminals delay it, insidiously defiling users' PCs after a period of weeks. They also delete traces of the original installation.

"Once the user launches the new software, an actual Google Translate application is installed," the CPR report said. In other words, to make matters worse, the malicious developer of the Google Translate desktop app created a realistic-looking program using a Chromium-based framework that converts the Google Translate web page into a functional platform. 

"In addition, an updated file is dropped, which starts a series of four droppers until the actual malware is dropped," the CPR report added.

Once the malware finally "kicks in," it connects to a Command and Control server that launches unauthorized crypto-mining activity, allowing cybercriminals to surreptitiously make money from unsuspecting Google Translate desktop app users. 

The cybercriminals are likely not collecting anything demanding nor energy-intensive like Bitcoin or Ethereum, but they could be mining Dogecoin or earning free Shiba Inu. If they're leeching from enough victims, they could be making significant profit.

Fake crypto mining apps

(Image credit: Check Point Research)

Check Point Research suspects that Nitrokod infected thousands of machines worldwide across 11 countries. Keep in mind that the faux desktop Google Translate app isn't the only bait the crypto-focused cybercriminals use to lure victims into their lair. They also offer "YouTube Music Desktop," "Microsoft Translator Desktop," and other questionable apps.

It's easy to fall victim to this attack, especially considering its high visibility on Google Search. CPR reminds users to only download software from authorized, known publishers and vendors. If you suspect that your PC was hijacked by Nitrokod, you'll find a remediation section at the conclusion of the CPR report that explains how to clean an infected machine.

Kimberly Gedeon, holding a Master's degree in International Journalism, launched her career as a journalist for MadameNoire's business beat in 2013. She loved translating stuffy stories about the economy, personal finance and investing into digestible, easy-to-understand, entertaining stories for young women of color. During her time on the business beat, she discovered her passion for tech as she dove into articles about tech entrepreneurship, the Consumer Electronics Show (CES) and the latest tablets. After eight years of freelancing, dabbling in a myriad of beats, she's finally found a home at Laptop Mag that accepts her as the crypto-addicted, virtual reality-loving, investing-focused, tech-fascinated nerd she is. Woot!