Android Acecard banking trojan asks users for selfie with an ID card

Pierluigi Paganini October 15, 2016

Experts discovered a new variant of the Android Acecard banking trojan that asks victims to take a selfie while they are holding an ID card.

The inventiveness of the criminals is a never ending pit. Recently, a number of organizations announced a new authentication method based on the selfies. For example, HSBC customers can open new bank accounts using a selfie, such as the Bank of Scotland and many other financial organizations and Mastercard.

Crooks have already started taking advantage of this new method of biometric authentication, experts at McAfee discovered a new Android banking Trojan, dubbed Acecard, that pretends to be an adult video app or a codec/plug-in necessary to see a specific video.

“Recently the McAfee Labs Mobile Research Team found a new variant of the well-known Android banking Trojan Acecard (aka Torec, due to the use of Tor to communicate with the control server) that goes far beyond just asking for financial information.” reads a blog post published by McAfee. “In addition to requesting credit card information and second-factor authentication, the malicious application asks for a selfie with your identity document—very useful for a cybercriminal to confirm a victim’s identity and access not only to banking accounts, but probably also even social networks.” 

The fake video plugin appears like an Adobe Flash Player, a pornographic app, or video codec.

When it is running in the background, the Acecard banking Trojan monitors the opening of specific apps usually associated with payment transactions. When the victim will open one of these apps the malware will present him a main phishing overlay, pretending to be Google Play and asking for a credit card number, that requests the submission of the card details and more personal and financial data (i.e. Cardholder name, date of birth, phone number, credit card expiration date, and CCV)

After collecting credit card and personal information from the victim, the Acecard banking Trojan the malware asks victims to complete a fake “identity confirmation” composed of three steps. In the first two steps the app requests the victim to upload a clean and readable photo of the front and back side of his identity document (national ID, passport, driver’s license):

Acecard banking trojan selfies

In the final step, the malicious app asks victims to take a selfie while holding their ID card.
Acecard banking trojan selfies 2

“After collecting credit card and personal information from the victim, the malware offers a fake “identity confirmation” that consists of three steps. The first two steps ask the user to upload a clean and readable photo of the front and back side of the victim’s identity document (national ID, passport, driver’s license).” continues the post. “The final step asks for a selfie with the identity document.”

The information collected by the Acecard banking Trojan allows attackers to perform several illegal activities that would result in the victim’s identity theft.

According to the experts, this variant of the Acecard banking Trojan has impacted users in Singapore and Hong Kong.

As usual, let me suggest avoid download from untrusted app stores and carefully review the permissions apps are asking for … and of course don’t take selfies while holding your ID card.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Android Acecard banking trojan, selfies)



you might also like

leave a comment