While some payment card companies like Mastercard have switched to selfies as an alternative to passwords when verifying IDs for online payments, hackers have already started taking advantage of this new security verification methods.

Researchers have discovered a new Android banking Trojan that masquerades primarily as a video plugin, like Adobe Flash Player, pornographic app, or video codec, and asks victims to send a selfie holding their ID card, according to a blog post published by McAfee. The Trojan is the most recent version of Acecard that has been labeled as one of the most dangerous Android banking Trojans known today.

It seems that there is now a typical scenario for malware evolution. First cybercriminals release a skeleton with basic functions — that piece of malware behaves quietly, showing almost no malicious activity.

Usually it comes in sight of several anti-virus companies shortly after it’s release, but the researchers treat it like yet another piece of potentially malicious code: nothing of particular interest. After some time the trojan gets additional functionallity and becomes capable of doing way more harm than the first version potentially could. During the third step, the massive attack campaign begins: thousands of devices get infected and then the trojan does it’s dirty job.