Android Trojan Asks Victims To Submit a Selfie Holding Their ID Card (softpedia.com) 25
An anonymous reader writes from a report via Softpedia: Untrained and gullible Android users are now the target of an Android banking trojan that asks them to send a selfie holding their ID card. The trojan, considered the most sophisticated Android trojan known today, is named Acecard, and this most recent version has been detected only in Hong Kong and Singapore for now. The purpose of requiring a selfie of the victim holding his/her ID card is for the crook to prove himself when making fraudulent bank transactions, calling tech support posing as the victim, or for taking over social media accounts for Facebook or Twitter, which often require ID scans in the case of account takeover disputes. The report adds: "A previous version of the Acecard trojan hid inside a Black Jack game delivered via the official Google Play Store. In the most recent version of this threat, security experts from McAfee have found a new version of the Acecard trojan hidden inside all sorts of apps that pose as Adobe Flash Player, pornographic apps, or video codecs. All of these apps are distributed outside of the Play Store and constantly pester users with permission requirement screens until they get what they want, which is administrator rights. Once this step is achieved, the trojan lays in hiding until the user opens a specific app. McAfee experts found that when the user opens the Google Play app, the trojan springs a new social engineering trap."
You deserve to get owned (Score:2)
Seriously, this is Darwinism. Morons must die.
Re:You deserve to get owned (Score:4, Interesting)
Why should the information on my Drivers License/Passport that I show publicly to all sorts of people like bartenders or security cards put me at any risk?
Re: (Score:3)
Identity fraud? The more they add to the dossier, the more likely they can successfully claim they are you.
Re:You deserve to get owned (Score:4, Interesting)
Here is the problem, you've basically described security through obscurity.
But here is what I know about ID. It has to be public info in order to verify you are who you say you are. YOU are NOT your ID.
The problem with ID, is that it assumes the person with the ID, is the person being Identified. It puts no responsibility upon the person who is trying to verify identity from ID.Here is my solution. Make ID the responsibility of the person verifying identity, not the person who is being identified.
Someone goes in to get a loan, the bank needs to make sure the person is who they say they are, and if they are not, are liable. So when ID thief comes in with my info, and says they are me, and takes out a loan as me, that I am NOT responsible for that transaction (as it is today, and why LifeLock makes a mint). I shouldn't have to repair anything when someone presents themselves fraudulently as me.
Re: (Score:2)
Well, yeah, but identity thieves build up dossiers over time.. A bit from here a bit from there, and when it hits some level of 'legitimacy', it's then used, usually for a money grab. While the data on a drivers license is 'out there', it's not necessarily a search away to anyone.
Pragmatically, it can be very difficult to get out from under the damage caused by a major id theft, especially if it has been ongoing for years without your knowledge.
Re: (Score:2)
I'm not disputing that it is the case - I've heard the stories too.
What I don't understand how any sane legal system allows two parties to make a contract on behalf of a third party, absent the typical situations where they have prior authorization to do so.
Why can't the alleged debtor turn up with a letter purporting to be f
Re:You deserve to get owned (Score:5, Insightful)
Because we have allowed these things to become, essentially, universal passwords.
You will most likely tell your friends to never use the same password for multiple sites, and then turn around and identify yourself EVERYWHERE with your driver's license or social security card. It's the same thing, just in the real world.
Re: (Score:2)
And you let your bartender take pictures of it too?
Re:You deserve to get owned (Score:4, Funny)
Joke's on them. I held up my credit card instead.
Re: (Score:2)
Re: (Score:1)
Well, first you have to get legitimate entities like Facebork to stop requesting the exact same thing. This one isn't quite a case of "legit companies don't do that" like is the case with the IRS communicating by phone or email or such things.
Re: (Score:1)
Well, those people were using android, so they were kinda asking for it.
More than likely, they were downloading apk files for commercial apps from whatever site they got in a search result. This is the direct equivalent of all the mac users that got hit with malware when they installed cracked copies of photoshop a few years ago.
You can crack a iphone too, and also install things from outside the walled garden, which of course puts you at risk.
But what's curious, is that iOS has absolutely allowed full-on "Sideloading" [osxdaily.com] for a couple of YEARS now, (in fact, there is a Mac/Windows Application called "Cydia Impactor" that doesn't require Jailbreaking, nor a Mac with XCode) and yet, other than that old Bootleg iLife installation (IIRC, that happened long BEFORE the legit Sideloading), you don't hear about the Exploit du Jour with iOS like you do with Android. Why? Surely there are enough people taking advantage of that "Freedom" that there would have
Re: (Score:2)
Re: (Score:1)
iOS jails applications. That's why breaking out is called "jailbreaking".
Every app runs in a sandbox that's really limited in what it can do - if Apple hasn't blessed it and you can't find a private API to do it, you can't do it.
That's why certain apps are just not possible on iOS by default - Apple doesn't provide an API to do it. iOS also limits what can be done - apps can share very little except through very narrow pathways (they can hand off complete files, so Safari can hand off a PDF to a PDF viewer, but once it does, it loses all access to it), and a few other pathways including ad blocking, It's also why multitasking is limited to certain conditions and scenarios.
In Android, an app pretty much has full access to the system, within the permissions it requests. The only protections is via the permissions system. For Apple, the APIs themselves enforce protections - if you try to access the contacts list, the API will pop up the model dialog. Ditto with location services, photos (which can be a way to get location), make a phone call (the dialer will pop up) and text messages.
When you sideload on iOS, all you're doing is installing an app. That app has the same restrictions regular apps do.
Jailbreaking is a technique on iOS meant to break out of the app jail, and thus allow any application to be installed. Like firewall applications, apps that re-skin the interface etc. Jailbroken apps have full access to the system and in this case you really don't have any app protections. It's the reason why jailbroken iPhones are a security risk because even regular apps can access stuff they shouldn't.
Yes, iOS implements Sandboxing for ALL applications. You talk about that like it's a Bad Thing. iOS' non-record of identity theft, vs. Android's long and storied history of Identity Theft, nicely proves that Apple made the right decision, sorry.
It is not "Blocking" a Service or "Jailing" an Application to require User Permission at the time of Attempted Accessing of certain sensitive Services/Data. Again, I point to the fact that Apple has a pretty-much PRISTINE record for NOT having some random App steal
Re: (Score:1)
It's in Hong Kong, you'll have 1000 photos that look like the same person!
FWIW, Android lets you block notifications per app (Score:2)
Settings -> Apps -> [app in question] -> Notifications -> Block all
You can also control most app permissions (independent of the app requesting them) in the same place.
Settings -> Apps -> [app in question] -> Permissions
Doesn't let you control an app's network usage (except cel