“The Interview” is undeniably the hottest movie of the year, which is a comedy about a plan to kill North Korea’s leader, Kim Jong-un. It has also been the most controversial, backed by disputes with hackers threatening theaters who will play the said movie with physical action, and also by demands to pull the film, delaying its release. The movie did reach theaters, albeit limited, and the internet, via YouTube, Xbox Video and other similar video streaming websites.
With all the racket and commotion, the Rogen-Franco movie has also been a big hit on torrent websites, downloaded tons of times illegally. Apparently, this has been a cue for the cyber evildoers to trick innocent minds again into infecting their smartphones and tablets with malware.
In a recent blog post by Graham Cluley, a security blogger, an Android app claiming to be a client to download the movie is swarming the internet today. Quoting Irfan Asrar, a McAfee security expert, the app is part of a torrent, exclusive to South Korea. Cluley states:
“Researchers at McAfee – in a joint investigation with the Technische Universität Darmstadt and the Centre for Advanced Security Research Darmstadt (CASED), has identified that a threat campaign has been active in South Korea in the last few days, attempting to exploit the media frenzy surrounding The Interview‘s release,”
The app looks like an innocent application that will help you pirate the movie. But in reality, it contains an Android Trojan named “Android/Badaccents”, which was hosted on Amazon Web Services. It is a banking Trojan which affects a number of Korean banks, including Citi Bank, and is out to steal your personal information and wipe the money off your bank cards. The collected data then apparently goes to a Chinese mail server. He has mentioned in his blog that at least 20,000 devices have been infected by the Trojan.
One peculiar thing was observed by Cluley though, the malware checks for the device’s manufacturing information; if the device is set to “Samjiyon” or “Arirang,” which means the handset has been purchased in North Korea, the malware will not infect the host device, and instead display an error message stating “an attempt to connect to the server failed.”
Pondering on whether this was a politics related attack, Cluley quotes Asrar:
“Asrar says that he does not currently believe the limiting of infections to non-North Korean made devices was politically motivated, but instead a commercial decision not to waste bandwidth on users who were outside the targeted region (as North Koreans were unlikely to be customers of the targeted banks),”
Cluley has mentioned that McAfee has notified Amazon of the issue, so further infections can be prevented. Also, he has warned people that there is a possibility of the Trojan being hosted on other websites, wearing different disguises.