The word "selfie" is now firmly an entrenched fragment of popular culture. It is such a prevalent activity that Oxford Dictionaries named it "Word of 2013."
Defined as "a photograph that one has taken of oneself, typically with a smartphone or webcam and uploaded to a social media site," the selfie is actually expanding from its narcissistic social media abode to more practical uses like biometric identification by mobile banking apps such as MasterCard.
If that sounds a little iffy due to obvious privacy (and vanity) concerns, then maybe this will take you off the selfie train for good. Hackers and cybercriminals are starting to sneak in malware that asks the victim to take final photos after gorging itself with stolen banking data.
Recently discovered, this selfie requesting banking Trojan infects Android smartphones and tablets by disguising itself as a codec or plugin required to view video content.
If the victim is curious enough to click and allow the "codec installation," this actually grants the Trojan malware all the permissions it needs to execute its sinister reason for being: stealing your data by overlaying phishing credit card information pages over legitimate apps.
This Trojan is actually a new variant of the Acecard phishing overlay malware for Android we've reported about before. Once activated, the malware lurks in the background and waits for the victim to open and launch specific apps that require credit card information. (Examples of these targeted apps are Google Play, Android Music, Videos, Books and Games, WhatsApp, Viber and Dropbox.)
If one of these apps is launched, the malware overlays a fake credit card information page over the real app, prompting the victim to enter a credit card number, card expiration date, phone number and security code located on the back of the card.
After the credit card number is "validated" (read: stolen), the malware proceeds to ask for more personal information for "identity verification" such as the card holder's name, birthday and mailing address.
And here comes the clincher - the malware finally asks for a selfie picture of the victim holding a valid ID card (passport, driver's license, etc.).
It's actually a three-step process. First, the victim takes a photo of the front side, then the back side of the valid ID. The third step requires the victim to take the final selfie with the ID card.
If the victim successfully follows all these directions then it's game over, the hackers will now have everything they need to access all of the victim's online banking accounts and heaven forbid, even completely take over his or her identity.
How to protect yourself
This selfie malware is a Trojan, meaning it disguises itself as something else, in this case, a codec or plugin that is needed for video playback. To avoid getting victimized by false plugins, do NOT install those from questionable sources. If you absolutely need a plugin, say, Adobe Flash Player, make sure you acquire it from its official website. And remember, when in doubt with any software, don't install.
Also, be wary of any apps that require a photo of a personal ID. It is also not a good idea to store any images of your sensitive IDs (passport, driver's license, social security card, etc.) in your phone.
Be careful when sideloading apps too. Better yet, do not download and install apps from third-party app stores outside the Google Play app store. Apps from outside sources are unverified and there's a chance they've been modified with malware.