The AceKard Trojan has become one of the major worldwide threats against banks all over the world. First being detected in January 2014 it originally attacked banking users only in Russia, but currently users in Europe, USA and Australia are also being attacked.

The modus operandi of AceKard was originally like other strands of malware: The app can intercept SMS messages, hold the user for ransom by encrypting the operating system, and show overlays on multiple Android apps, such as the Google Play store, social media apps such as Facebook Messenger, and at least 20 different mobile banking apps. Similar to other malware it is being distributed by unofficial app stores, but there has also been at least one known instance where the malware has been downloaded by a Trojan app in the official Play Store. It is hard to judge the extent of the AceKard attacks, but only between May and September 2015 more than 6000 users were attacked. [1]

In October 2016 the criminals behind the Trojan introduced a new version, which become even more aggressive. [2] The original version would ask the user to enter their credit card details when certain apps, such as the Play Store was opened. This new version will also ask the user for specific ID, depending on where the user is located. E.g., the user will ask for an “identity confirmation “if the user is in Singapore or Hong Kong. The final step is to ask the user to take a selfie with their card information.

This new aggressive phishing method is of course targeted directly at banking apps, when the banking app is only depending on user interaction through an app for user identification and authentication. If the user is tricked into giving up an image of themselves holding the identification there might be nothing stopping an attacker from creating accounts on behalf of the user.

In particular banks and financial institutions using systems such as ID now [3] should take care, and verify their enrollment process against the information extracted by such phishing attacks.

How can software developers protect against threats such as the AceKard Trojan? First, if a user expects to enter sensitive information through your app it should protect against overlays, at least when information is entered. The Protectoria Secure Mobile Platform has advanced protection against overlays, both active (as the application is running) and passive (after the user has entered information). Second, creating a separate application level environment where actions such as user enrollment and transaction authentication takes place can help you keep the most threatened parts of your application separate and protected from malware.

To learn more about Protectoria and our security solutions please see