MetalKettle repository

Exodus is no longer being supported by its developers, having been replaced by Covenant. So why is there a new Exodus update? The answer is very troubling and has major implications for Kodi users.

Over the last week, several prominent Kodi addons have been added to a repository on Github. The uploads were to an account named “lewblack125,” and our research shows that this account had also uploaded Exodus builds back in June of this year. However, GitHub says that lewblack125 joined the site on August 19th.

There are two explanations for this: either the original lewblack125 deleted their account temporarily and reactivated it, or someone else signed up with the same name after the account was deactivated. The latter option appears far more likely as MetalKettle, another Kodi developer also had their account reregistered. Further, addons are being added to lewblack125’s repository seemingly without the consent of the creators. Echocoder, the creator of the third-party IPTV addon Sportie has asked lewblack125 to remove Sportie in good faith, although they have mentioned that they’ll disable it entirely if they have to.

Who is this new lewblack125? While some Kodi users assumed that the new Exodus update came from TV Addons, one of their developers vehemently denied this. Instead, they claim that one of their old developers had gone rogue, possibly because of the new lewblack125 account, although whether this account belongs to the original user has yet to be confirmed. This seems unlikely given the current legal troubles that the TV Addons team are facing. The repository recently removed all of its addons that offer access to unlicensed content. Going back on this could open TV Addons up to massive legal ramifications.

By gathering several of the most popular Kodi addons in one place, this new lewblack125 account may have created what’s known as a honeypot. In this case, the potential honeypot is a very attractive repository–a one stop shop for some of the biggest third-party Kodi addons. There are only two reasons why this has been done: someone genuinely wanted to create a single resource for these addons, or they’re planning to use them to hijack the computers of Kodi users. Even if the first option was true, it’s a terrible idea since an attacker would only have to compromise one repository instead of many. Given that the uploader clearly has some degree of coding knowledge and has thus far refused to identify themselves, they must know this, which forces us to confront the second option.

How can you protect yourself?

There are a few ways you can prevent this repository from compromising your system. We’ll cover these below, and remember: the sooner you can action these changes, the better.

Uninstall Exodus

Firstly, if you have Exodus installed,  you may want to consider removing it. It’s no longer being supported, but as long as automatic updates are disabled it should continue to function as normal. To remove an addon, scroll down the menu on the home screen and click the Add-ons option. Next, select Video add-ons and scroll through the list until you find Exodus.

Right click on the Exodus icon and select Information. From here, simply click the Uninstall button in the right-hand corner of the screen.

Uninstall Exodus

Delete the MetalKettle repository

Next, since we know for sure that the MetalKettle account on GitHub is not owned by the real MetalKettle, there’s no reason to keep the repository. In fact, failing to remove it opens you up to vulnerabilities even if you’ve turned off automatic updates. Something as simple as accidentally clicking this repo when trying to update an addon manually could open your system up to attack.

MetalKettle's deleted tweet

Deleting a repository is very similar to deleting an addon, and takes under a minute. On the home screen, select the Add-ons option on the left-hand side. On the next screen, click on the icon that resembles a box opening up. This is in the top-left corner of the screen, underneath the page name.

Uninstall repo step 1

Click Install from repository on the following page and scroll down until you find the MetalKettle repository. Right click it, select Information, and then click the Uninstall button on the right.

Disable automatic updates for addons

This is the most important thing to do, by far. If you installed Exodus via lewblack125’s repo and have automatic updates turned on, your addons will update themselves whenever a new version is released. For context, this means that if lewblack125 was to continue releasing updates for addons that you have, they’d effectively have the means to automatically install malware onto your system whenever they liked. Users who installed Exodus from another source will be unaffected, however, it’s still better for your system’s security to disable automatic updates.

To turn off automatic updates, click on the gear icon on the Kodi home screen. It’s directly beneath the Kodi logo on the left-hand side.

Turn off auto updates step 1

Next, click on the System settings option. This is on the middle row, all the way to the right.

Turn off auto updates step 2

Select Add-ons from the menu on the left, then click on the Updates option on the right.

Turn off auto updates step 3

Finally, select Notify, but don’t install updates. This will let you know when a new version of your addons is available so that you can research it and determine if it’s legitimate or not.

Turn off auto updates step 4

Install a VPN to use Kodi safely

Re-registering a previously well-known GitHub account is just one of the ways an attacker can trick you into downloading malware. Your Kodi addons could even be used as an entry point for a Man-in-the-Middle (MitM) attack.

With a MitM attack, someone intercepts every bit of data that passes between you and the sites you visit. They can redirect your browser, steal all of your online login credentials and even force you to download software that gives them greater control over your system.

You can prevent these attacks by connecting to a virtual private network (VPN). This directs all of your network traffic into an encrypted funnel and prevents it from being read by any outside observers. Even with an extremely powerful computer, this encryption would take thousands of years to break, so MitM attacks just aren’t feasible.

We recommend using a VPN called IPVanish. It’s a favorite amongst Kodi users because it provides a very stable connection with some of the fastest network speeds available. Not only does it keep your protected from attackers, but it can actually enhance your experience by reducing buffering times and allowing you to stream in high-definition. Because IPVanish has servers in more than 50 countries, accessing geo-locked content becomes very simple: just connect the VPN to a server in the country the content is from and you can watch to your heart’s content.

IPVanish is very versatile, catering to every Kodi installation. It has dedicated apps for Android and iOS, and it is the only major VPN available in the default Amazon Fire TV app store. They also have very detailed guides to installing it on Linux-based systems like the Raspberry Pi.

Reader deal: save 60% on an IPVanish annual plan here.

This new development regarding re-activated GitHub accounts is definitely cause for concern. That said, it serves as a reminder that Kodi users should remain vigilant and always check the legitimacy of the updates that they install. We urge our readers to follow the steps laid out above as soon as possible. This will prevent their systems from being compromised by software from an as yet unknown author and protect them should a similar event happen in the future.