A new Android malware loves users’ love of selfies. How much? Enough to ask them to take one so that it can steal access to their accounts, and potentially steal their identity.
The unnamed malware masquerades primarily as a video codec or plugin. In some cases, it arrives as a fake Adobe Flash Player app, a tactic which other Android malware including Marcher and Android/Spy.Agent.SI have employed.
Amusingly, in at least one of the instances shown above, the attackers have called their malicious app “Abode Flash Player” rather than Adobe Flash Player.
Regardless of the disguise, the end result is always the same. If successfully installed, the trojan asks users to agree to a number of permissions, at which point it idles and lays in wait. For what? For a user to have any reason to enter in their credit card details.
It’s at that point the malware activates, explains McAfee researcher Bruce Snell:
“It displays its own window over the legitimate app, asking for your credit card details. After validating the card number, it goes on to ask for additional information such as the 4-digit number on the back.”
Once the trojan has collected all of a user’s financial details, it then sets its sights on obtaining a user’s personal information, including their name, date of birth, age, mailing address, and even a photo of the front and back sides of their ID card.
For its pièce de résistance, the malware asks for one more data bit: a user’s selfie.
That picture, along with all of the other pieces of information it has already obtained, is more than enough for an attacker to steal access to victims’ web accounts.
To protect against this malware, users should pay attention to what permissions their apps are requesting of them. Seriously, why would a video plugin require more than a couple of permissions? If an application asks for more rights than it should need to perform its advertised functions, move on and find another app that asks for fewer permissions.
Later on, if a seemingly legitimate app begins asking you for all kinds of sensitive personal and financial bits of information, uninstall it immediately.
No app should need a photo of you holding your ID except perhaps a mobile banking service. But if you need to send a copy of your ID anywhere, it’s best to mail it via snail mail or better yet deliver it in person.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.