Android Banking Trojan Asks for Selfie With Your ID

In the first half of 2016 we noticed that Android banking Trojans had started to improve their phishing overlays on legitimate financial apps to ask for more information. Victims were requested to provide “Mother’s Maiden Name,” “Father’s Middle Name,” “Maternal Grandmothers Name,” or a “Memorable Word.” Attackers used that data to respond to security questions and obtain illegal access to the victims’ bank accounts.

Recently the McAfee Labs Mobile Research Team found a new variant of the well-known Android banking Trojan Acecard (aka Torec, due to the use of Tor to communicate with the control server) that goes far beyond just asking for financial information. In addition to requesting credit card information and second-factor authentication, the malicious application asks for a selfie with your identity document—very useful for a cybercriminal to confirm a victim’s identity and access not only to banking accounts, but probably also even social networks.

Like most Android banking Trojans, this threat also tricks users into installing the malware by pretending to be an adult video app or a codec/plug-in necessary to see a specific video:

acecard_app_logos
As soon as the malicious app is executed by the user, it hides the icon from the home launcher and constantly asks for device administrator privileges to make its removal difficult:

acecard_deviceadmin
When it is running in the background, the malware constantly monitors the opening of specific apps to show the user its main phishing overlay, pretending to be Google Play and asking for a credit card number:

acecardphishingoverlay
Once the credit card number is validated, the next phishing overlay asks for more personal and credit card information such as cardholder name, date of birth, phone number, credit card expiration date, and CCV:

acecard_phishing_overlay_personal

Depending on the type of the credit card that the user entered in the first phishing overlay, the malware will also ask for a second factor of authentication:

acecard_hk
In the preceding case, the malware asks for the HK (Hong Kong) ID. This new variant also targets users in Singapore, asking for the National Registration Identity Card and the Singaporean passport:

acecard_sg

After collecting credit card and personal information from the victim, the malware offers a fake “identity confirmation” that consists of three steps. The first two steps ask the user to upload a clean and readable photo of the front and back side of the victim’s identity document (national ID, passport, driver’s license):

acecard_identityconf_step1and2
The final step asks for a selfie with the identity document:

acecard_selfi

Why are Android banking Trojans so popular? One possible reason is the exploit kit GM Bot, whose source code was leaked in February. (IBM SecurityIntelligence blogged about it.)

Android banking Trojans such as Acecard are constantly evolving and improving their social engineering attacks to gain as much sensitive and private information as possible. Attackers want not only a victim’s credit card information and different factors of authentication to financial services, but also a picture of the victim with identity document to remotely access to different systems. To protect yourselves from this threat, employ security software on your mobile, avoid downloading and installing apps from untrusted sources, and do not trust screens that ask for financial and personal information.

McAfee Mobile Security detects this threat as Android/Torec and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.

Targeted apps

  • com.android.vending
  • com.google.android.music
  • com.google.android.videos
  • com.google.android.play.games
  • com.google.android.apps.books
  • com.whatsapp
  • com.viber.voip
  • com.dropbox.android
  • com.tencent.mm
  • jp.naver.line.android