A new Android Trojan just emerged out there in the wild and this time it’s so clever it makes me wonder if the dark side of the force is such a bad idea after all…I am just kidding folks, but take a load of this: this Android banking malware will trick its victims into submitting a selfie pic while holding their ID card. If you’re wondering why, well, keep reading.
Why on Earth would you be required to take a selfie with your identity card visible in the background? Oh well, for identity confirmation, of course. And by all means, this method of opening a bank account online is usual, most banking institution use it on a daily basis. For example, companies like Mastercard switched to selfies as a method for verifying one’s identity, as opposed to requiring a password. The selfie-verification process in this particular case is used for when making online payments and things of that nature.
And hackers already started taking advantage of this new feature, as McAfee’s security researchers just discovered a brand-new Android banking Trojan, an Acecard version respectively (the latest) which enters into your Android running device as a fake video plugin (Adobe flash player for example, or a video codec) then asks you to send a selfie whilst holding your personal identification card. According to Kaspersky’s Lab Anti-malware Research Team, this latest version of Acecard is the most dangerous out there by a long shot.
Once installed, the Android Trojan will ask you for a variety of permissions on your device, allowing it to execute the malicious code then it will wait for you to open certain Android apps, i.e. those that would require your credit card/payment information, including a request for a Photo ID, front and back. With all this intel gathered successfully, the hacker will be able to make banking transactions in your name and/or to steal your email, social media account etc. All these fake apps are distributed outside of Google’s Play Store, so be aware of the risks when installing stuff from untrusted sources. Also, except for a mobile banking service, no legit app will ever request a selfie of you holding your ID card.