A new variant of the Acecard trojan malware for Android has been discovered that asks gullible Android users to pose for selfies with their ID cards.

The trojan itself was first discovered in February and asked answers that can be used to break into bank accounts, such as “mothers maiden name,” along with credit card information and second-factor authentication. The new version discovered by McAfee Labs’ Mobile Research Team asks for a selfie photo along with a users’ identity document, giving those behind the trojan not only access to the victim’s identify but also potentially to social networks as well.

Installation of the trojan comes via fake apps pretending to provide adult videos or a codec or plug-in necessary to see a specific video, and once installed asks for device administrator privileges before hiding itself, making it difficult to remove.

Once installed, the malware then presents a phishing overlay that pretends to be Google Play. It then asks for a victim’s credit card number, followed by personal and credit card information such as the credit card holder’s name, date of birth, phone number, credit card expiration date and CCV code.

The new version then asks those who live in Hong Kong for a copy of the their government ID card complete with a selfie, or if they live in Singapore their National Registration Identity Card and passport.

Multiple services

Acecard doesn’t stop with targeting Google Play. It has also been found to collect access credentials using fake logins from social media apps such as Facebook, WhatsApp, WeChat, Line and Viber, along with other apps including Dropbox, Google Music, Google Books and Google Videos.

“Android banking Trojans such as Acecard are constantly evolving and improving their social engineering attacks to gain as much sensitive and private information as possible,” the McAfee team notes. “Attackers want not only a victim’s credit card information and different factors of authentication to financial services, but also a picture of the victim with identity document to remotely access to different systems.”

McAfee advises users to protect themselves by having security software installed on their smartphones, avoiding downloading apps from untrusted sources and not providing details to screens that ask for personal and financial information.

Image credit: McAfee