Android Banking Trojan Tricks Victims into Submitting Selfie Holding their ID Card

The banking trojan then overlays itself on top of
the legitimate app where it proceeds to ask
users for their payment card number and card
details such as card holder's name, expiration
date, and CVV number.
"It displays its own window over the legitimate
app, asking for your credit card details,"
explains McAfee researcher Bruce Snell. "After
validating the card number, it goes on to ask
for additional information such as the 4-digit
number on the back."
Once this is done, the trojan then looks to
obtain users' personal information, including
their name, date of birth, mailing address, for
"verification purposes," and even requests a
photo of the front and back sides of their ID
card.
After this, the Trojan also prompts to ask users
to hold their ID card in their hand, underneath
their face, and take a selfie.
Hackers can make illegal
Transfers and Take Over your
Online Accounts
All these pieces of information are more than
enough for an attacker to verify illegal banking
transactions and steal access to victims' social
media accounts by confirming the stolen
identities.
So far this version of Acecard Android banking
Trojan has impacted users in Singapore and
Hong Kong.
This social engineering trick of Trojan obviously
is not new, and any tech-savvy users would
quickly catch this malicious behavior as there is
no reason for Google to ask for your ID card.
But the trick still works with non and less
technical users.
Since all of these fake apps have been
distributed outside of Google Play Store, users
are strongly advised to avoid downloading and
installing apps from untrusted sources. Besides
this, users should pay attention to the
permissions apps are asking for.
Most importantly: No app needs a photo of you
holding your ID card except perhaps a mobile
banking service. So, always be cautious before
doing that.