October 18, 2016 By Douglas Bonderud 3 min read

Just when it seems like malware-makers have reached the end of their ingenuity, something like the Acecard Android Trojan pops up to remind security professionals that cybercriminals aren’t out of ideas — they’re just working on new projects.

According to SC Magazine, this one could pose a serious problem. Designed to run in the background, Acecard monitors when users open specific apps, then asks them to take a selfie while holding their ID. So far, the code has only been spotted in Singapore and Hong Kong, but with such a lucrative potential payout, it’s a safe bet Acecard is eventually coming to America.

Say Cheese!

So how does this app convince users to give up highly personal data and then take pictures of themselves while holding their IDs? As noted by Softpedia, the first step involves sneaking onto Android devices.

A previous version of the Trojan used a Black Jack app from the official Google Play store. The search giant cracked down, but the Trojan is now making the rounds on third-party sites, hiding in apps that claim to be Flash players or adult-content delivery systems. By masquerading as a legitimate service, this malware gains the ability to ask for admin permissions once installed on any Android device.

Of course, asking for permission isn’t the same as getting carte blanche, so how are cybercriminals convincing users to say yes? Constant annoyance appears to be the method of choice, with users being continually bombarded with permission-request screens until they finally give in and accept.

The Android Trojan is then free to scan for specific apps that require user authentication to open — such as Google Play, Facebook or Dropbox — and start asking for details. First up are requests for credit card data, along with the user’s name, birthday and address. But that’s just the beginning.

Victims are also asked to take a picture of the front and back of their ID card or passport, in addition to a selfie that shows them holding up the same ID. From the user’s perspective, this is a rather laborious verification process; for malicious actors, it’s a gold mine.

An Android Trojan’s Mass Appeal?

Once attackers have this kind of personal data in hand, it’s possible to do just about anything — open a bank or credit card account, transfer funds or take control of social media accounts. This brings up an interesting point: With so much at stake, why would users be willing to enter this kind of personal information?

The answer lies in ubiquity. Smartphone use now outpaces traditional desktop internet access in many countries thanks to the falling price of devices and increasing availability of Wi-Fi hot spots. As a result, many users simply aren’t aware of the risks surrounding third-party app sellers and assume any legitimate-seeming request for data must be real.

Consider the Ghost Push Trojan. As noted by ZDNet, this was a big deal two years ago, infecting 600,000 Androids per day and allowing the Android malware to install apps, display advertisements and spy on users. Newer versions of the mobile OS fixed the problem, but despite the roll out, over 50 percent of users still haven’t upgraded and remain at risk. Any device running Android Lollipop is vulnerable.

The takeaway? Malware-makers are counting on the masses — users who own smartphones or tablets but don’t keep up with the latest in security news, leaving them unaware of emerging threats or the benefit offered by OS upgrades. While user education is part of the solution, the sheer number of smartphones in use and the amount of money on the table makes this a high priority for phone manufacturers and Google’s OS. In a world obsessed with selfies, vanity has now become the newest threat vector.

More from

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

Ransomware attack on Rhode Island health system exposes data of hundreds of thousands

3 min read - Rhode Island is grappling with the fallout of a significant ransomware attack that has compromised the personal information of hundreds of thousands of residents enrolled in the state’s health and social services programs. Officials confirmed the attack on the RIBridges system—the state’s central platform for benefits like Medicaid and SNAP—after hackers infiltrated the system on December 5, planting malicious software and threatening to release sensitive data unless a ransom is paid. Governor Dan McKee, addressing the media, called the attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today