This article is more than 1 year old

Fake Android The Interview app actually banking Trojan

20K credulous victims hit by South Korea targeting nasty

Malware-slingers have latched onto the torrent of publicity spawned by the controversial film The Interview by stitching together a fake Android app actually designed to swipe online banking credentials.

Sony Pictures, stung by criticism that it had given into threats in the wake of a devastating hack attack against its systems, reversed its decision to shelve The Interview and released the North Korean-baiting Seth Rogen comedy on Christmas Day, as originally planned. The movie played the sell-out audiences in a limited number of theatres and well as enjoying a release online, through both official and unofficial channels.

But one of the illegal torrents making the rounds in South Korea poses as an Android app to download the movie. In reality the software is attempting to exploit the media frenzy surrounding The Interview by pushing an Android Trojan detected by McAfee products as Android/Badaccents.

The banking Trojan is programmed to target customers of a number of Korean banks, as well as Citi Bank. Approximately 20,000 devices appear to have been infected to date, based on bank account data from infected Android devices relayed back to a Chinese mail server and intercepted by security researchers.

The malware is programmed to check the device’s manufacturer, bypassing infection routines and displaying a failed connection message if either Samjiyon or Arirang smartphone devices are detected. Both manufacturers sell Android devices in North Korea.

However, McAfee security researcher Irfan Asrar reckons the routine is designed by cybercrooks to weed out potential targets from North Korea, who are obviously unlikely to have online banking accounts, rather than anything more political, such as an attempt to identify those interested by a “decadent Western film” that has incensed the ruling cadre in Pyongyang.

The threat was detected by researchers at McAfee during a joint investigation with the Technische Universität Darmstadt and the Centre for Advanced Security Research Darmstadt. The banking Trojan was hosted on Amazon Web Services. McAfee has notified the cloud computing giant of threat. This abuse is incidental rather than central to the scam and it’s quite possible that the malware will reappear elsewhere, possibly under a different disguise.

Virus distributors regularly latch onto newsworthy events ranging from celebrity deaths to natural disasters as a means of grabbing attention for their nefarious wares.

A write-up of the latest such threat - complete with screenshots - can be found in a blog post by veteran security researcher Graham Cluley here. ®

More about


Send us news

Other stories you might like