Fake “The Interview” app is really an Android banking trojan

Malware Remotely Steals Data From iPhone and Android Devices
December 24, 2014
Pirated Copies Of The Interview Comes Loaded With Android Malware
December 30, 2014

29 December 2014

The must-see movie of the moment is surely not “The Hobbit: Battle of the Five Armies”, “Unbroken” or even “Paddington”. No, the one movie that everyone is talking about is “The Interview”.

Android malware icon

Following the devastating hack upon its computer systems by a hacking group which might (or might not) have the blessing and backing of North Korea, Sony Pictures flip-flopped as to whether the Seth Rogan comedy about the assassination of Kim Jung-un would have a Christmas Day release.

Eventually, the movie had a limited Christmas Day release in the States, much wider online availability for US internet users via sites like YouTube, and an even wider still copyright-infringing distribution via torrent sites.

But the computer security story surrounding “The Interview” doesn’t end there.


Researchers at McAfee – in a joint investigation with the Technische Universität Darmstadt and the Centre for Advanced Security Research Darmstadt (CASED), has identified that a threat campaign has been active in South Korea in the last few days, attempting to exploit the media frenzy surrounding “The Interview”‘s release.

McAfee security expert Irfan Asrar tells me that a torrent making the rounds in South Korea, poses as an Android app to download the movie to mobile devices.

Android malware downloading...

However, in truth, it contains an Android Trojan detected by McAfee products as Android/Badaccents.

Android/Badaccents claims to download a copy of “The Interview” but instead installs a two-stage banking Trojan onto victims’ devices.

The banking Trojan, which was hosted on Amazon Web Services, targets customers of a number of Korean banks, as well as one international bank (Citi Bank).

One aspect which will probably raise eyebrows, is that the malware code includes a routine to check the device’s manufacturing information. If it is set to either 삼지연 (Samjiyon) or 아리랑 (Arirang), smartphone manufacturers whose Android devices are sold in North Korea, the malware will not infect, and instead display a message that an attempt to connect to the server failed.

The Android malware stops downloading

Asrar says that he does not currently believe the limiting of infections to non-North Korean made devices was politically motivated, but instead a commercial decision not to waste bandwidth on users who were outside the targeted region (as North Koreans were unlikely to be customers of the targeted banks).

The researchers uncovered that bank account data from infected Android devices was being relayed back to a Chinese mail server, and that approximately 20,000 devices appear to have been infected to date.

McAfee has notified Amazon Web Security of its findings, with a view to having the Amazon-hosted files removed to prevent further infections. Of course, it’s always possible that other web storage services could be used to host the malicious code in future – potentially using different disguises.

Source – http://grahamcluley.com/2014/12/the-interview-android-app-malware/


Request Demo