Android Trojan Asks Victims To Submit a Selfie Holding Their ID Card (softpedia.com)

← Back to Stories (view on slashdot.org)

Android Trojan Asks Victims To Submit a Selfie Holding Their ID Card (softpedia.com)

Posted by BeauHD on Friday October 14, 2016 @10:00AM from the say-cheese dept.

An anonymous reader writes from a report via Softpedia: Untrained and gullible Android users are now the target of an Android banking trojan that asks them to send a selfie holding their ID card. The trojan, considered the most sophisticated Android trojan known today, is named Acecard, and this most recent version has been detected only in Hong Kong and Singapore for now. The purpose of requiring a selfie of the victim holding his/her ID card is for the crook to prove himself when making fraudulent bank transactions, calling tech support posing as the victim, or for taking over social media accounts for Facebook or Twitter, which often require ID scans in the case of account takeover disputes. The report adds: "A previous version of the Acecard trojan hid inside a Black Jack game delivered via the official Google Play Store. In the most recent version of this threat, security experts from McAfee have found a new version of the Acecard trojan hidden inside all sorts of apps that pose as Adobe Flash Player, pornographic apps, or video codecs. All of these apps are distributed outside of the Play Store and constantly pester users with permission requirement screens until they get what they want, which is administrator rights. Once this step is achieved, the trojan lays in hiding until the user opens a specific app. McAfee experts found that when the user opens the Google Play app, the trojan springs a new social engineering trap."

25 comments

Min score:

Reason:

Sort:

Safe to browse porn on iPhone? by Anonymous Coward · 2016-10-14 10:05 · Score: 0

Android may lose the porn war.
You deserve to get owned by ronmon · 2016-10-14 10:10 · Score: 1

Seriously, this is Darwinism. Morons must die.
1. Re:You deserve to get owned by FunkSoulBrother · 2016-10-14 10:13 · Score: 3, Interesting
  
  Why should the information on my Drivers License/Passport that I show publicly to all sorts of people like bartenders or security cards put me at any risk?
2. Re:You deserve to get owned by epyT-R · 2016-10-14 10:17 · Score: 2
  
  Identity fraud? The more they add to the dossier, the more likely they can successfully claim they are you.
3. Re:You deserve to get owned by Calydor · 2016-10-14 10:17 · Score: 4, Insightful
  
  Because we have allowed these things to become, essentially, universal passwords.
  You will most likely tell your friends to never use the same password for multiple sites, and then turn around and identify yourself EVERYWHERE with your driver's license or social security card. It's the same thing, just in the real world.
  
  --
  -=This sig has nothing to do with my comment. Move along now=-
4. Re:You deserve to get owned by Anonymous Coward · 2016-10-14 10:22 · Score: 0
  
  Why should the information on my Drivers License/Passport that I show publicly to all sorts of people like bartenders or security cards put me at any risk?
  You raised the right issue!
5. Re:You deserve to get owned by Anonymous Coward · 2016-10-14 10:25 · Score: 0, Insightful
  
  Believing in Social darwinism is stupid - it is neither science nor philosophy, just a sign that someone is a teenage idiot.
6. Re:You deserve to get owned by Archangel+Michael · 2016-10-14 10:28 · Score: 3, Interesting
  
  Here is the problem, you've basically described security through obscurity.
  But here is what I know about ID. It has to be public info in order to verify you are who you say you are. YOU are NOT your ID.
  The problem with ID, is that it assumes the person with the ID, is the person being Identified. It puts no responsibility upon the person who is trying to verify identity from ID.Here is my solution. Make ID the responsibility of the person verifying identity, not the person who is being identified.
  Someone goes in to get a loan, the bank needs to make sure the person is who they say they are, and if they are not, are liable. So when ID thief comes in with my info, and says they are me, and takes out a loan as me, that I am NOT responsible for that transaction (as it is today, and why LifeLock makes a mint). I shouldn't have to repair anything when someone presents themselves fraudulently as me.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
7. Re:You deserve to get owned by BinBoy · 2016-10-14 10:34 · Score: 4, Funny
  
  Joke's on them. I held up my credit card instead.
8. Re:You deserve to get owned by epyT-R · 2016-10-14 10:35 · Score: 1
  
  Well, yeah, but identity thieves build up dossiers over time.. A bit from here a bit from there, and when it hits some level of 'legitimacy', it's then used, usually for a money grab. While the data on a drivers license is 'out there', it's not necessarily a search away to anyone.
  Pragmatically, it can be very difficult to get out from under the damage caused by a major id theft, especially if it has been ongoing for years without your knowledge.
9. Re:You deserve to get owned by Anonymous Coward · 2016-10-14 10:38 · Score: 1
  
  Well, first you have to get legitimate entities like Facebork to stop requesting the exact same thing. This one isn't quite a case of "legit companies don't do that" like is the case with the IRS communicating by phone or email or such things.
10. Re:You deserve to get owned by techno-vampire · 2016-10-14 11:08 · Score: 1
  
  I did even better: I held up my VA patient's ID card. Not only is it useless as ID anyplace except the VA, you're asked for the last four digits of your SSN as a PIN. I imagine that a student ID card would work just as well.
  
  --
  Good, inexpensive web hosting
11. Re: You deserve to get owned by Anonymous Coward · 2016-10-14 11:39 · Score: 0
  
  Well, those people were using android, so they were kinda asking for it.
12. Re: You deserve to get owned by Anonymous Coward · 2016-10-14 13:48 · Score: 0
  
  Well, those people were using android, so they were kinda asking for it.
  More than likely, they were downloading apk files for commercial apps from whatever site they got in a search result. This is the direct equivalent of all the mac users that got hit with malware when they installed cracked copies of photoshop a few years ago.
  You can crack a iphone too, and also install things from outside the walled garden, which of course puts you at risk.
13. Re: You deserve to get owned by Anonymous Coward · 2016-10-14 15:04 · Score: 0
  
  Remember that when an elderly loved one falls victim to hackers.
14. Re:You deserve to get owned by Anonymous Coward · 2016-10-14 20:11 · Score: 0
  
  Facebook? Legitimate?
15. Re: You deserve to get owned by macs4all · 2016-10-14 23:53 · Score: 1
  
  Well, those people were using android, so they were kinda asking for it.
  More than likely, they were downloading apk files for commercial apps from whatever site they got in a search result. This is the direct equivalent of all the mac users that got hit with malware when they installed cracked copies of photoshop a few years ago.
  You can crack a iphone too, and also install things from outside the walled garden, which of course puts you at risk.
  But what's curious, is that iOS has absolutely allowed full-on "Sideloading" for a couple of YEARS now, (in fact, there is a Mac/Windows Application called "Cydia Impactor" that doesn't require Jailbreaking, nor a Mac with XCode) and yet, other than that old Bootleg iLife installation (IIRC, that happened long BEFORE the legit Sideloading), you don't hear about the Exploit du Jour with iOS like you do with Android. Why? Surely there are enough people taking advantage of that "Freedom" that there would have been at least SOME exploits by now. But the only one that comes to mind is that short-lived tainted version of XCode that circulated in China a couple of years ago. And that was actually OS X being Trojaned, not iOS, per se. The difference being that OS X (macOS) has always allowed Applications from anywhere (plus it's not iOS); so that doesn't "count".
  
  So, what is fundamentally different between the two platforms that would cause this huge difference? Not marketshare: There are PLENTY of iOS devices (and their typically higher-income owners) to make it worthwhile, especially in the identity-theft arena. Not user-IQ: No matter the platform, there's a Seeker born every minute. So what? Did Apple (who most Slashdotters think are all about "restricting access") actually figure out how to allow full-on Sideloading in a SAFE manner, or is iOS somehow immune-by-design to Trojans (really, how could that be?), or what?
  
  I am not trolling. It's a serious question. Does anyone with deep insight into BOTH platforms know why the ability to Sideload Apps hasn't caused rampant malware on iOS like it undeniably has on Android?
16. Re:You deserve to get owned by Hognoxious · 2016-10-15 05:57 · Score: 1
  
  So when ID thief comes in with my info, and says they are me, and takes out a loan as me, that I am NOT responsible for that transaction (as it is today, and why LifeLock makes a mint)
  I'm not disputing that it is the case - I've heard the stories too.
  What I don't understand how any sane legal system allows two parties to make a contract on behalf of a third party, absent the typical situations where they have prior authorization to do so.
  Why can't the alleged debtor turn up with a letter purporting to be from the bank's president saying that they're dropping the case and offering 100 grand for your trouble? That's exactly equivalent to what they have.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
17. Re:You deserve to get owned by Opportunist · 2016-10-15 09:39 · Score: 1
  
  And you let your bartender take pictures of it too?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
18. Re: You deserve to get owned by tlhIngan · 2016-10-17 03:47 · Score: 1
  
  But what's curious, is that iOS has absolutely allowed full-on "Sideloading" for a couple of YEARS now, (in fact, there is a Mac/Windows Application called "Cydia Impactor" that doesn't require Jailbreaking, nor a Mac with XCode) and yet, other than that old Bootleg iLife installation (IIRC, that happened long BEFORE the legit Sideloading), you don't hear about the Exploit du Jour with iOS like you do with Android. Why? Surely there are enough people taking advantage of that "Freedom" that there would have been at least SOME exploits by now. But the only one that comes to mind is that short-lived tainted version of XCode that circulated in China a couple of years ago. And that was actually OS X being Trojaned, not iOS, per se. The difference being that OS X (macOS) has always allowed Applications from anywhere (plus it's not iOS); so that doesn't "count".
  So, what is fundamentally different between the two platforms that would cause this huge difference? Not marketshare: There are PLENTY of iOS devices (and their typically higher-income owners) to make it worthwhile, especially in the identity-theft arena. Not user-IQ: No matter the platform, there's a Seeker born every minute. So what? Did Apple (who most Slashdotters think are all about "restricting access") actually figure out how to allow full-on Sideloading in a SAFE manner, or is iOS somehow immune-by-design to Trojans (really, how could that be?), or what?
  I am not trolling. It's a serious question. Does anyone with deep insight into BOTH platforms know why the ability to Sideload Apps hasn't caused rampant malware on iOS like it undeniably has on Android?
  iOS jails applications. That's why breaking out is called "jailbreaking".
  Every app runs in a sandbox that's really limited in what it can do - if Apple hasn't blessed it and you can't find a private API to do it, you can't do it.
  That's why certain apps are just not possible on iOS by default - Apple doesn't provide an API to do it. iOS also limits what can be done - apps can share very little except through very narrow pathways (they can hand off complete files, so Safari can hand off a PDF to a PDF viewer, but once it does, it loses all access to it), and a few other pathways including ad blocking, It's also why multitasking is limited to certain conditions and scenarios.
  In Android, an app pretty much has full access to the system, within the permissions it requests. The only protections is via the permissions system. For Apple, the APIs themselves enforce protections - if you try to access the contacts list, the API will pop up the model dialog. Ditto with location services, photos (which can be a way to get location), make a phone call (the dialer will pop up) and text messages.
  When you sideload on iOS, all you're doing is installing an app. That app has the same restrictions regular apps do.
  Jailbreaking is a technique on iOS meant to break out of the app jail, and thus allow any application to be installed. Like firewall applications, apps that re-skin the interface etc. Jailbroken apps have full access to the system and in this case you really don't have any app protections. It's the reason why jailbroken iPhones are a security risk because even regular apps can access stuff they shouldn't.
19. Re: You deserve to get owned by macs4all · 2016-10-17 05:29 · Score: 1
  
  But what's curious, is that iOS has absolutely allowed full-on "Sideloading" for a couple of YEARS now, (in fact, there is a Mac/Windows Application called "Cydia Impactor" that doesn't require Jailbreaking, nor a Mac with XCode) and yet, other than that old Bootleg iLife installation (IIRC, that happened long BEFORE the legit Sideloading), you don't hear about the Exploit du Jour with iOS like you do with Android. Why? Surely there are enough people taking advantage of that "Freedom" that there would have been at least SOME exploits by now. But the only one that comes to mind is that short-lived tainted version of XCode that circulated in China a couple of years ago. And that was actually OS X being Trojaned, not iOS, per se. The difference being that OS X (macOS) has always allowed Applications from anywhere (plus it's not iOS); so that doesn't "count".
  So, what is fundamentally different between the two platforms that would cause this huge difference? Not marketshare: There are PLENTY of iOS devices (and their typically higher-income owners) to make it worthwhile, especially in the identity-theft arena. Not user-IQ: No matter the platform, there's a Seeker born every minute. So what? Did Apple (who most Slashdotters think are all about "restricting access") actually figure out how to allow full-on Sideloading in a SAFE manner, or is iOS somehow immune-by-design to Trojans (really, how could that be?), or what?
  I am not trolling. It's a serious question. Does anyone with deep insight into BOTH platforms know why the ability to Sideload Apps hasn't caused rampant malware on iOS like it undeniably has on Android?
  iOS jails applications. That's why breaking out is called "jailbreaking".
  Every app runs in a sandbox that's really limited in what it can do - if Apple hasn't blessed it and you can't find a private API to do it, you can't do it.
  That's why certain apps are just not possible on iOS by default - Apple doesn't provide an API to do it. iOS also limits what can be done - apps can share very little except through very narrow pathways (they can hand off complete files, so Safari can hand off a PDF to a PDF viewer, but once it does, it loses all access to it), and a few other pathways including ad blocking, It's also why multitasking is limited to certain conditions and scenarios.
  In Android, an app pretty much has full access to the system, within the permissions it requests. The only protections is via the permissions system. For Apple, the APIs themselves enforce protections - if you try to access the contacts list, the API will pop up the model dialog. Ditto with location services, photos (which can be a way to get location), make a phone call (the dialer will pop up) and text messages.
  When you sideload on iOS, all you're doing is installing an app. That app has the same restrictions regular apps do.
  Jailbreaking is a technique on iOS meant to break out of the app jail, and thus allow any application to be installed. Like firewall applications, apps that re-skin the interface etc. Jailbroken apps have full access to the system and in this case you really don't have any app protections. It's the reason why jailbroken iPhones are a security risk because even regular apps can access stuff they shouldn't.
  Yes, iOS implements Sandboxing for ALL applications. You talk about that like it's a Bad Thing. iOS' non-record of identity theft, vs. Android's long and storied history of Identity Theft, nicely proves that Apple made the right decision, sorry.
  
  It is not "Blocking" a Service or "Jailing" an Application to require User Permission at the time of Attempted Accessing of certain sensitive Services/Data. Again, I point to the fact that Apple has a pretty-much PRISTINE record for NOT having some random App stealing User Data; plus I note that with Marshmallow, it looks like Android is (finally!) adopting some, if not all, of iOS' Security and Permissions models. So now what?
  
  As I said,
I hope someone falls for this by Anonymous Coward · 2016-10-14 10:41 · Score: 0

I hope someone falls for this. Because only thinking about someone falling for this makes me lol so hard.
1. Re:I hope someone falls for this by Anonymous Coward · 2016-10-14 13:14 · Score: 1
  
  It's in Hong Kong, you'll have 1000 photos that look like the same person!
FWIW, Android lets you block notifications per app by Solandri · 2016-10-14 13:55 · Score: 1

Feature was introduced in Marshmallow I believe. I had to do that when a utility app which had previously been silent got updated to spam me with ads disguised as a notification popup every few hours.

Settings -> Apps -> [app in question] -> Notifications -> Block all

You can also control most app permissions (independent of the app requesting them) in the same place.

Settings -> Apps -> [app in question] -> Permissions

Doesn't let you control an app's network usage (except cellular data use in the background). But if you're rooted you can use AFWall+ to do that.
Re:FWIW, Android lets you block notifications per by Anonymous Coward · 2016-10-14 23:07 · Score: 0

You can also report those apps if they're in the Google Play Store as the Google Developer Policy does not allow apps in notifications:
https://play.google.com/about/...
"Ads must not simulate or impersonate the user interface of any app, notification, or warning elements of an operating system. It must be clear to the user which app is serving each ad."