While the movie “The Interview” — the gross-out comedy that apparently triggered a massive cyberattack on Sony Pictures by North Korea — earned $15 million in its first weekend of online distribution, there’s been another “Interview”-related payday as well: A mobile app pretending to download the movie has infected an estimated 20,000 devices in South Korea with banking malware, security analyst Graham Cluley reported.
Researchers at security company McAfee and the Technische Universitat Darmstadt and the Centre for Advanced Security Research Darmstadt said the two-stage banking Trojan targets customers of Citi and several Korean banks. Instead of downloading the movie, the malware uploads bank account data from infected Android devices to a Chinese mail server.
The malware, which was hosted on Amazon Web Services, also appears to have specifically targeted South Korean users. The malicious app includes a routine to check whether the downloading phone is a device sold in North Korea. If it is, the malware just displays a message that it can’t connect to the server containing the movie.
But McAfee security expert Irfan Asrar said he doesn’t believe that device check was politically motivated. Instead, he suggested it was a commercial decision by the cyberthieves not to waste bandwidth on users who were outside the targeted region, since North Koreans were unlikely to be customers of the targeted banks.