ESET researchers have discovered a new “Android Trojan” targeting the official “PayPal” application while being able to bypass the two-factors “PayPal” certification test.
The “Trojan”, first detected by ESET in November 2018, combines the capabilities of a remote-controlled “banking Trojan” with a new form of abuse of “Android’s” accessibility features, targeting users of the official “PayPal”.
So far, the “malware” appears as a tool for optimizing battery life and is distributed through third-party app stores. Once installed, the malicious application terminates without providing a feature and its icon disappears. Beyond that, the researchers found that it continues in two ways.
Figure 1 – The disguise used by malware at this stage
In the first way, the “malware” displays a notification asking the user to start it. Once the user opens the “PayPal” app and connects, the malicious accessibility service (if previously enabled by the user) mimics the user’s clicks to send money to the attacker’s “PayPal” address. In the analysis of the researchers, the application tried to transfer 1,000 euros, however, the currency used depends on the user’s location. The whole process takes about 5 seconds, and for an unsuspecting user, there is no feasible way to intervene on time.
Because the “malware” is not based on the theft of the “PayPal” login credentials and instead waits for users to log in themselves, it can bypass the two-factors “PayPal” authentication. The attack fails only if the user has insufficient “PayPal” balance and has not linked a payment card to his account.
“PayPal” has been updated by ESET about the malicious technique used by this “Trojan” and which “PayPal” account is used by the attacker to take the stolen money.
In the second way, the malicious “apps” display five legitimate screenshot overlays; “Google Play”, “WhatsApp”, “Skype”, “Viber” and “Gmail”, but can not be closed by users unless a fake form of data is completed. Researchers have found that even with the submission of false data, the screen disappeared.
However, the “malware code” contains strings claiming that the victim’s phone has been locked because child pornography is being viewed and can only be unlocked if an “email” is sent to a specific address.
Figure 2 – Malicious screenshot overlays for “Google Play”, “WhatsApp”, “Viber” and “Skype”
Figure 3 – Malicious overlay screen fishing “Gmail” credentials
Apart from these two basic functions, and depending on the commands it receives from the “C&C” server, malicious software can also send or delete “SMS”, download the “contact list”, make or forward “calls”, install and run “applications” etc.
ESET advises users who have installed this “Trojan” to check their bank account for suspicious transactions and to change their “internet banking”, “PIN” and “Gmail” passwords.
In case of unauthorized “PayPal” transactions, they can report the problem to the “PayPal Analysis Center”.
For device users which can not be used because of a screen overlay, ESET recommends to use the “Safe Android feature” and to remove the application called “Optimization Android” in the “Application manager / Apps” section of the device settings.
To be safe from “Android malware” in the future, ESET recommends users to:
- Only trust the official “Google Play” store to download apps.
- Check the number of installations, ratings, and content of reviews before downloading apps from “Google Play”.
- Be careful with access rights to the applications they install.
- Keep their “Android” device updated and
- Use a reliable mobile security solution.