Enjoy taking selfies? That plays right into the hands of this identity-stealing malware…

Fake video app asks victims for selfie, alongside a large amount of other personal info.

David bisson
David Bisson

Enjoy taking selfies? That plays right into the hands of this malware...

A new Android malware loves users’ love of selfies. How much? Enough to ask them to take one so that it can steal access to their accounts, and potentially steal their identity.

The unnamed malware masquerades primarily as a video codec or plugin. In some cases, it arrives as a fake Adobe Flash Player app, a tactic which other Android malware including Marcher and Android/Spy.Agent.SI have employed.

Malicious apps

Sign up to our free newsletter.
Security news, advice, and tips.

Amusingly, in at least one of the instances shown above, the attackers have called their malicious app “Abode Flash Player” rather than Adobe Flash Player.

Regardless of the disguise, the end result is always the same. If successfully installed, the trojan asks users to agree to a number of permissions, at which point it idles and lays in wait. For what? For a user to have any reason to enter in their credit card details.

It’s at that point the malware activates, explains McAfee researcher Bruce Snell:

“It displays its own window over the legitimate app, asking for your credit card details. After validating the card number, it goes on to ask for additional information such as the 4-digit number on the back.”

Once the trojan has collected all of a user’s financial details, it then sets its sights on obtaining a user’s personal information, including their name, date of birth, age, mailing address, and even a photo of the front and back sides of their ID card.

For its pièce de résistance, the malware asks for one more data bit: a user’s selfie.

Selfie malware

That picture, along with all of the other pieces of information it has already obtained, is more than enough for an attacker to steal access to victims’ web accounts.

To protect against this malware, users should pay attention to what permissions their apps are requesting of them. Seriously, why would a video plugin require more than a couple of permissions? If an application asks for more rights than it should need to perform its advertised functions, move on and find another app that asks for fewer permissions.

Later on, if a seemingly legitimate app begins asking you for all kinds of sensitive personal and financial bits of information, uninstall it immediately.

No app should need a photo of you holding your ID except perhaps a mobile banking service. But if you need to send a copy of your ID anywhere, it’s best to mail it via snail mail or better yet deliver it in person.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.