With hundreds of millions of active users Xunlei is arguably the most used BitTorrent client in the world, albeit almost exclusively in China. But aside from delivering entertainment the company was recently found to be distributing malware to thousands of people through its services. The company, partly owned by Google, has fired the employees responsible and now offers an uninstaller to infected users.
To the Western public the name Xunlei might not ring any immediate bells, but in China its software is used by hundreds of millions of people every month.
Previously the company’s BitTorrent client was crowned the most used BitTorrent software in the world, beating uTorrent and several other popular clients.
Xunlei’s website offers a searchable index of billions of media files which users can download with the proprietary Xunlei software. The company is partly owned by Google and in recent years has evolved into the leading player in the online file-sharing space.
Recently, however, the company ran into trouble when people spotted suspicious software on their systems signed with a Xunlei security certificate. A thorough investigation from ESET now reveals that Xunlei the company has been spreading malware to Windows and Android users.
While it’s unclear how the application is distributed, the windows installer “INPEnhSetup.exe” that spreads the suspicious files is directly connected to the Chinese file-sharing giant. Besides the security certificate, the application also calls home to the Xunlei-owned domain kankan.com
Once the “dropper” is installed it loads an Office plugin which among other things downloads an Android application. This application is then installed on all Android devices that are connected to the computer, which subsequently installs several other seemingly harmless applications.
ESET looked at all the technical details of the software distributed by Xunlei and has categorized the application as a malicious program under the name Win32/Kankan.
“The use of a fake Office plugin to gain persistence, the ability to silently install Android applications, and the backdoor functionalities, confirm the validity of the concerns of Chinese users and explains why ESET detects this program as malicious, under the name Win32/Kankan,” ESET’s Joan Calvet writes.
“There are still some open questions, like the original infection vector and the exact reason the Android applications were installed,” he adds.
While it remains unclear whether Xunlei’s popular BitTorrent client was used to spread the malware, the company has admitted that its employees were responsible for the development and distribution of the suspicious software.
During a press conference Xunlei apologized for their mistakes. The company said that the personnel responsible were acting without permission and have since been fired.
For affected users Xunlei has released an uninstaller and according to ESET the number of infections has dropped significantly since its release, as can be seen in the graph below.