



In a joint investigation of McAfee Researchers with the Technische Universität Darmstadt and the Centre for Advanced Security Research Darmstadt (CASED), has identified a malware campaign in South Korea. The campaign attempting to infect the South Korean devices using a fake android app "The Interview".





This campaign is a targeted operation to infect South Korean devices with a banking malware. The malware detected by the McAfee products as Android/Badaccents.











After the "The Interview" fake app installation, the app checks the device’s manufacturing information. If it is set to either 삼지연 (Samjiyon) or 아리랑 (Arirang), smartphone manufacturers whose Android devices are sold in North Korea, the malware will not infect, and instead display a message that an attempt to connect to the server failed.







Positive reports(If the device is South Korean) to the app downloads and installs a a two-stage banking Malware hosted on Amazon Web Services onto victims’ devices by claiming to download a copy of “The Interview”.

The malware targets customers of a number of Korean banks and Citi Bank as well.





McAfee security expert Irfan Asrar told Graham Cluley , "A torrent making the rounds in South Korea, poses as an Android app to download the movie to mobile devices."





Asrar says that he does not currently believe the limiting of infections to non-North Korean made devices was politically motivated, but instead a commercial decision not to waste bandwidth on users who were outside the targeted region (as North Koreans were unlikely to be customers of the targeted banks).





The researchers uncovered that bank account data from infected Android devices was being relayed back to a Chinese mail server, and that approximately 20,000 devices appear to have been infected to date.



