If there’s one thing malware makers have learned to take advantage of over the years it’s that wherever there’s big news, there’s even bigger opportunities to exploit the public. This time around, the tactic takes the form of an Android app that shares a name with the same film that’s been all over the headlines for the past two weeks: The Interview.
The movie first made a name for itself after Sony announced they would be pulling it from theaters due to a major set of hacks that had plagued their internal networks, shutting down operations at the studio and exposing the personal details of thousands of its employees.
While there is still rampant speculation flying around over who might actually be behind the attack, the company eventually relented to demands from both the US government and its people to stand up to Kim Jong Un’s lackeys and show the movie in support of free speech.
The Interview was released simultaneously on Christmas Eve both in classical theaters, as well as to digital download sites such as Youtube, Google Play, and iTunes for $5.99.
Despite reports that the movie was torrented in almost equal measure as it was downloaded legally, the move was still heralded as a spectacular move for the studio, showcasing that just because a terrorist tells you to do something ‘or else’, doesn’t mean you should out of fear alone.
All that positive news aside however, new research from veteran security analyst Graham Cluley shows that a new app in the Google Play store called “The Interview” has fooled over 20,000 people into downloading a run of the mill, but still very dangerous, banking trojan onto their mobile phones.
“The banking Trojan, which was hosted on Amazon Web Services, targets customers of a number of Korean banks, as well as one international bank (Citi Bank).
One aspect which will probably raise eyebrows, is that the malware code includes a routine to check the device’s manufacturing information. If it is set to either 삼지연 (Samjiyon) or 아리랑 (Arirang), smartphone manufacturers whose Android devices are sold in North Korea, the malware will not infect, and instead display a message that an attempt to connect to the server failed.”
For the time being, the trojan looks to be making its rounds primarily in South Korea and China, which makes sense if it was developed by North Korean hackers for distribution.
Thankfully it looks as though the crooks have been using a rented server on Amazon Web Services’ cloud array as their command and control relays, which means that a quick call to AWS is all it should take to bring the app and its network down for good.
A statement from a spokesperson at Amazon Web Services has addressed this situation*:
“We have a clear acceptable use policy and whenever we have received a complaint of misuse of the services, we have moved swiftly to strictly enforce it. The activity being reported is not running on AWS.”
Until these steps can be taken to see the shutdown of the botnet through, be sure not to download any apps you don’t recognize (especially if you don’t speak the language), and never enter your financial information into a device you don’t explicitly trust beforehand.
*updated January 1 with statement from Amazon Web Services