Just when it seems like malware-makers have reached the end of their ingenuity, something like the Acecard Android Trojan pops up to remind security professionals that cybercriminals aren’t out of ideas — they’re just working on new projects.

According to SC Magazine, this one could pose a serious problem. Designed to run in the background, Acecard monitors when users open specific apps, then asks them to take a selfie while holding their ID. So far, the code has only been spotted in Singapore and Hong Kong, but with such a lucrative potential payout, it’s a safe bet Acecard is eventually coming to America.

Say Cheese!

So how does this app convince users to give up highly personal data and then take pictures of themselves while holding their IDs? As noted by Softpedia, the first step involves sneaking onto Android devices.

A previous version of the Trojan used a Black Jack app from the official Google Play store. The search giant cracked down, but the Trojan is now making the rounds on third-party sites, hiding in apps that claim to be Flash players or adult-content delivery systems. By masquerading as a legitimate service, this malware gains the ability to ask for admin permissions once installed on any Android device.

Of course, asking for permission isn’t the same as getting carte blanche, so how are cybercriminals convincing users to say yes? Constant annoyance appears to be the method of choice, with users being continually bombarded with permission-request screens until they finally give in and accept.

The Android Trojan is then free to scan for specific apps that require user authentication to open — such as Google Play, Facebook or Dropbox — and start asking for details. First up are requests for credit card data, along with the user’s name, birthday and address. But that’s just the beginning.

Victims are also asked to take a picture of the front and back of their ID card or passport, in addition to a selfie that shows them holding up the same ID. From the user’s perspective, this is a rather laborious verification process; for malicious actors, it’s a gold mine.

An Android Trojan’s Mass Appeal?

Once attackers have this kind of personal data in hand, it’s possible to do just about anything — open a bank or credit card account, transfer funds or take control of social media accounts. This brings up an interesting point: With so much at stake, why would users be willing to enter this kind of personal information?

The answer lies in ubiquity. Smartphone use now outpaces traditional desktop internet access in many countries thanks to the falling price of devices and increasing availability of Wi-Fi hot spots. As a result, many users simply aren’t aware of the risks surrounding third-party app sellers and assume any legitimate-seeming request for data must be real.

Consider the Ghost Push Trojan. As noted by ZDNet, this was a big deal two years ago, infecting 600,000 Androids per day and allowing the Android malware to install apps, display advertisements and spy on users. Newer versions of the mobile OS fixed the problem, but despite the roll out, over 50 percent of users still haven’t upgraded and remain at risk. Any device running Android Lollipop is vulnerable.

The takeaway? Malware-makers are counting on the masses — users who own smartphones or tablets but don’t keep up with the latest in security news, leaving them unaware of emerging threats or the benefit offered by OS upgrades. While user education is part of the solution, the sheer number of smartphones in use and the amount of money on the table makes this a high priority for phone manufacturers and Google’s OS. In a world obsessed with selfies, vanity has now become the newest threat vector.