Everyone Loves Selfies, Including Malware!

I was talking with some of my coworkers the other day about why I wanted to jump to the larger iPhone 7 Plus.  For me it came down to the camera.  I travel a lot for work and even though photography is something of a hobby of mine, I don’t always have my “good camera” with me, so I end up relying on my phone’s camera to take pictures of things that catch my eye.  The camera has become an integral part of a smartphone that it’s often (as in my case) a key factor in deciding which phone to use.  More companies are starting to take advantage of the ubiquitous nature of the camera phone to let you do things like simulate a fax for a signed document or making deposits through your banking app by taking a picture of the front and back of the check.  Thanks to my phone’s camera I can’t remember the last time I stepped inside a bank.  Unfortunately, cybercriminals are also learning to take advantage of your phone’s camera.

The McAfee Mobile Research Team within McAfee Labs recently discovered a piece of Android malware that uses a bit of social engineering and some sneaky code to collect all sorts of personal information, ending with a picture of your ID card. That’s right, malware is now asking for you to take a selfie.  While this particular piece of malware has only been impacting users in Singapore and Hong Kong so far, it’s always best to be aware of the current threats and prepare accordingly. Let’s take a quick look at what this piece of malware does.malware-codec

Like a lot of malware, it tricks the user into installing it by pretending to be a video codec or plugin.  By doing this, it’s actually getting the user to grant it all the permissions it needs to execute the malicious code.  On a side note, this is why we would call this a Trojan instead of a virus since it is pretending to be a legitimate application with hidden functionality.  Remember the story of the Trojan Horse?  Same concept.  Just much smaller.selfie

This malware now runs in the background, waiting for you to open specific apps where it would make sense to ask for a credit card number.  It then displays its own window over the legitimate app, asking for your credit card details.  After validating the card number, it goes on to ask for additional information such as the 4-digit number on the back.  Once fed that information, it will then proceed to ask all sorts of additional information claiming a need to validate your identity.    Age, birthday, mailing address, etc. are all collected.   After all of this info is gathered, it then asks for a picture of the front and back of your ID.  Now, not content to just get that info, the malware asks you to take a selfie with your ID in hand.  You thought taking a selfie with your boarding pass was bad!  If you entered in everything you were asked for, the cybercriminals controlling this malware would now have all the information they needed to gain access to your online accounts.  While it’s not the first time we’ve seen malware that asks for a picture, this is the first time we’ve seen this in mobile malware.  Cybercriminals have definitely turned their sights on the mobile platform.

How to Stay Safe

Don’t install shady plugins – The majority of the internet has settled on one of a handful of different formats to use for videos.  If you go to a site that is asking you to install a “codec” or “video plugin,” don’t do it.  Either that site is using an older out of date video format (that could be vulnerable to more malware) or it is trying to get you to install malware.  Either way, go to another site.  If you think you are missing a legitimate plugin, go directly to the site that makes the plugin and install it from there.  But really, most mobile operating systems have all the codecs you will need built in, so when in doubt, get out.

Don’t take a picture of your ID – You should always be skeptical when apps start asking for too much information.  Entering in payment information is one thing, but asking for a picture of your ID is a completely different ballpark.  In general, storing that sort of information on a server (picture of your ID, passport, etc.) is not a good security practice, so even if an app you are using is legitimately asking for a copy of your ID, you may want to reconsider ditching that app for another one with better security practices.

Install security software – Typically I tell people to keep their devices up to date.  However, since this piece of malware is a Trojan and installs with the user’s permissions, having your system up to date would not stop this malware.  This is one reason you need to run security software, so it can keep an eye out for malicious apps like this that find tricky ways to get onto your device.

Cybercriminals are certainly not slowing down their efforts to steal your data, but with good security practices and the right protections in place, you have a fighting chance.

Stay on top of the latest consumer and mobile security threats by following me and @IntelSec_Home on Twitter, and ‘Like’ us on Facebook.

Stay Safe