Warning out vs fake 'The Interview' download app

"The Interview," the controversial political comedy that many believe exposed Sony Pictures to a massive hack, now threatens to expose users of Android phones to a malware attack, a security researcher said over the weekend.

 

In a blog post, Graham Cluley said an app claiming to be able to download "The Interview" actually threatens to steal the owner's banking information.

 

"Researchers at McAfee – in a joint investigation with the Technische Universität Darmstadt and the Centre for Advanced Security Research Darmstadt (CASED), has identified that a threat campaign has been active in South Korea in the last few days, attempting to exploit the media frenzy surrounding The Interview‘s release," he said.

 

He quoted McAfee security expert Irfan Asrar as saying a torrent is now online in South Korea, posing as an Android app that can download the movie to mobile devices.

 

The banking Trojan dubbed Android/Badaccents was hosted on Amazon Web Services and targets customers of some Korean banks as well as one international bank, Cluley said.

 

Citing the researchers' findings, Cluley said at least 20,000 devices may have been infected, with the data going to a Chinese mail server.

 

"Android/Badaccents claims to download a copy of 'The Interview' but instead installs a two-stage banking Trojan onto victims’ devices," he said.

 

But Cluley also noted the malware's code will check the device’s manufacturing information.

 

If the device is set to Samjiyon or Arirang - which suggest the smartphones may have been sold in North Korea - the malware will not infect.

 

The malware will instead show a message that an attempt to connect to the server failed.

 

"Asrar says that he does not currently believe the limiting of infections to non-North Korean made devices was politically motivated, but instead a commercial decision not to waste bandwidth on users who were outside the targeted region (as North Koreans were unlikely to be customers of the targeted banks)," Cluley said.

 

Cluley said McAfee has notified Amazon Web Security of its findings so the Amazon-hosted files can be removed and prevent further infections.

 

"Of course, it’s always possible that other web storage services could be used to host the malicious code in future – potentially using different disguises," he said. — Joel Locsin/JDS, GMA News