Hackers can now hijack your face. Here’s how to fight back

A person at a computer in contact with many people securely.
(Image credit: iStock)

The future of mobile malware is here. For the first time, cybercriminals are infiltrating iOS and Android devices and stealing user face scans. Then, armed with the power of deepfakes and AI, they’re replicating the user’s likeness to break into their bank accounts.

Yes, you read that correctly. Today’s technology allows bad actors to spoof biometric safeguards and hijack your face. This hack is as novel as it is terrifying – and it warrants immediate action from enterprises and users alike.

The arrival of deepfake hacking

This is truly a brave new world of hacking. Believed to be developed by the Chinese-speaking crime group GoldFactory, this hack uses fake apps to trick users into performing biometric verification checks. Unwittingly, users then share the facial scans required to bypass the same checks employed by legitimate banking apps in Asia Pacific.

The hackers do this by – and here’s the real innovation – using AI-powered face-swapping platforms. With biometric data in hand, as well as the ability to intercept 2FA text messages, these cybercriminals create deepfake replicas of their victims, enabling unauthorized access to their banking accounts. The result is an app scam that researchers have never seen before.

In a way, this hack reminds me of Cherryblos, another threat I wrote about in November that uses mobile malware to extract passwords and sensitive information from images. Now, it seems, hackers are turning their efforts from static images to user faces.

Unfortunately, it’s understandable why hackers are going down this route. Facial biometrics are one of the most popular mobile access methods and are used at least once a day with an app by more than 130 million Americans. Up until this point, facial biometrics have been seen as a trusted alternative to passwords. The authentication method is quick, convenient, and difficult to falsify. This cunning attack shows that it’s indeed tough to crack – but not impossible.

Apu Pavithran

Founder and CEO, Hexnode.

Enterprises must fight fire with fire

This hack is only currently active in a specific region and a specific app vertical but don’t be fooled – it’s a sign of threats to come. The entry barrier for AI and deepfake technology is low and any hacking actor with a semblance of budget and know-how is looking at this case for inspiration. For enterprises, this means fighting fire with fire and building robust mobile malware and biometric identification protections today.

This starts with getting a grip on the apps in your ecosystem. A good way to do this is by creating a custom “store” with approved apps for corporate endpoints. Think of it like your own Play Store or App Store. Here, you can also modify permissions to regulate the level of control the app has over target devices and remove anything resembling risky behavior. It’s also vital to have strict cybersecurity criteria when inspecting which apps do or don’t make your store. If something doesn’t meet your standards, blacklist it.

Next, adhere to best practices to combat mobile malware, beginning with maintaining up-to-date devices through effective patch management. Enable auto-updates, install updates promptly upon release, and automate software modifications outside of business hours. Similarly, prioritize security scans and device monitoring. Deploy a user session monitoring system to identify malware and block suspicious sessions before users share any personal data.

Finally, watch out for the telltale signs of malware infection. This includes things like device battery drain, unusual data storage, slow performance, and strange behavior. Regular audits with a unified endpoint protection software platform can help to uncover these device malfunctions. Additionally, so can another enterprise resource: employees.

Spotting and stopping social engineering attacks

In the “face” of this new threat – excuse the pun – employees are arguably the most important cybersecurity element for enterprises to get right. Why? Because social engineering is malware’s main infection avenue and this case is no different.

This hack isn’t capitalizing on Android or iOS vulnerabilities. Rather, for this facejacking malware to work, the victim must authorize relevant permissions, therefore requiring a multi-stage social engineering strategy to gain entry into the phone.

This point is worth repeating. The malware cannot rip official biometric data on Android or iOS since this information is – rightfully – encrypted and kept separate from running apps. The entire hack relies on tricking the user. Only once invited inside the device can the trojan horse then read incoming SMS messages, control background functions, and request to capture the victim’s face.

Now more than ever, users must understand how to stay safe for their own good and that of the enterprise. IT must spearhead cyber hygiene initiatives and instruct employees to avoid clicking suspicious links, use company-approved apps, and report device problems like failed software updates or irregular performance.

And, in this evermore complicated landscape of cybersecurity and AI, remind users to think twice whenever an app asks for a face scan.

We've listed the best free Android apps.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Apu Pavithran is the founder and CEO of Hexnode.