Android Trojan Asks Victims To Submit a Selfie Holding Their ID Card

An anonymous reader writes from a report via Softpedia: Untrained and gullible Android users are now the target of an Android banking trojan that asks them to send a selfie holding their ID card. The trojan, considered the most sophisticated Android trojan known today, is named Acecard, and this most recent version has been detected only in Hong Kong and Singapore for now. The purpose of requiring a selfie of the victim holding his/her ID card is for the crook to prove himself when making fraudulent bank transactions, calling tech support posing as the victim, or for taking over social media accounts for Facebook or Twitter, which often require ID scans in the case of account takeover disputes. The report adds: "A previous version of the Acecard trojan hid inside a Black Jack game delivered via the official Google Play Store. In the most recent version of this threat, security experts from McAfee have found a new version of the Acecard trojan hidden inside all sorts of apps that pose as Adobe Flash Player, pornographic apps, or video codecs. All of these apps are distributed outside of the Play Store and constantly pester users with permission requirement screens until they get what they want, which is administrator rights. Once this step is achieved, the trojan lays in hiding until the user opens a specific app. McAfee experts found that when the user opens the Google Play app, the trojan springs a new social engineering trap."

Re:You deserve to get owned

[FunkSoulBrother]

Why should the information on my Drivers License/Passport that I show publicly to all sorts of people like bartenders or security cards put me at any risk?

Re:You deserve to get owned

[Archangel+Michael]

Here is the problem, you've basically described security through obscurity.

But here is what I know about ID. It has to be public info in order to verify you are who you say you are. YOU are NOT your ID.

The problem with ID, is that it assumes the person with the ID, is the person being Identified. It puts no responsibility upon the person who is trying to verify identity from ID.Here is my solution. Make ID the responsibility of the person verifying identity, not the person who is being identified.

Someone goes in to get a loan, the bank needs to make sure the person is who they say they are, and if they are not, are liable. So when ID thief comes in with my info, and says they are me, and takes out a loan as me, that I am NOT responsible for that transaction (as it is today, and why LifeLock makes a mint). I shouldn't have to repair anything when someone presents themselves fraudulently as me.