Security experts have warned that cyber-criminals are trying to cash in on interest in controversial Sony Pictures movie The Interview by hiding malware in an Android app claiming to download the film.
A banking trojan detected as Android/Badaccents was discovered by researchers at McAfee and the Technische Universität Darmstadt and the Centre for Advanced Security Research Darmstadt (CASED).
Hosted on Amazon Web Services, the malware targets South Korean banking customers as well as Citibank patrons and has already infected 20,000 devices, according to security expert Graham Cluley.
Data lifted from devices was sent to Chinese mail servers, he explained in a blog post.
“One aspect which will probably raise eyebrows, is that the malware code includes a routine to check the device’s manufacturing information,” Cluley continued.
“If it is set to either ??? (Samjiyon) or ??? (Arirang), smartphone manufacturers whose Android devices are sold in North Korea, the malware will not infect, and instead display a message that an attempt to connect to the server failed.”
However, this feature is unlikely to be politically motivated. Rather it shows the attackers behind the malware want to focus all their efforts on users inside South Korea, rather than their neighbors to the north who will not be customers of the targeted banks.
The Amazon-hosted files have now been removed to avoid further infection, although the attackers could theoretically find another hoster to take its place.
Amazon Web Services had the following in a statement:
“We have a clear acceptable use policy and whenever we have received a complaint of misuse of the services, we have moved swiftly to strictly enforce it. The activity being reported is not running on AWS.”
Seth Rogan movie The Interview jumped to notoriety after a major destructive cyber attack on Sony Pictures Entertainment at the tail end of 2014.
That attack, which the FBI claims was launched with the backing of Pyongyang, not only forced the movie giant to shut down its corporate network for days, but also led to the leaking of the movie along with sensitive internal documents and information on staff.
As a result of an online threat by hackers “Guardians of Peace” the film was withdrawn by most major North American distributors just before Christmas, making it hard to find – although it subsequently ended up online.