ESET researchers have found a new Android Trojan hidden inside a battery optimization app that tricks users into logging into PayPal, then takes over and mimics the user’s clicks to send money to the attacker’s PayPal address.
This happens because during installation, the app requests access to the Android “Accessibility” permission, a very dangerous feature that allows an app to automate screen taps and OS interactions.
If the official PayPal app is installed on the compromised device, the malware displays a notification alert prompting the user to launch it. Once the user opens it and logs in, the malicious accessibility service steps in to perform the transaction.
“During our analysis, the app attempted to transfer 1000 euros, however, the currency used depends on the user’s location,” Stefanko explained.
“Because the malware does not rely on stealing PayPal login credentials and instead waits for users to log into the official PayPal app themselves, it also bypasses PayPal’s two-factor authentication (2FA). Users with 2FA enabled simply complete one extra step as part of logging in, – as they normally would – but end up being just as vulnerable to this Trojan’s attack as those not using 2FA.”
This particular Trojan bundled up with the bogus battery optimization app is distributed via third-party app stores, but the researchers also spotted five malicious apps with similar capabilities on Google Play, masquerading as tools for tracking the location of other Android users.
That malware concentrates on phishing the credentials for online banking services for several Brazilian banks, as well as on thwarting uninstallation attempts by AV or app manager apps.
The heist won’t go unnoticed by the victim if they are looking at the phone screen, but they will also be unable to do anything to stop the transaction from being executed as it all happens in a matter of seconds.
The only thing that will prevent the theft is if the user has insufficient PayPal balance and no payment card connected to the account.
Users who have installed the PayPal-targeting Trojan would do well to check if their accounts have been drained (the malware can repeat the stealing manoeuvre) and to report the unauthorized transactions to PayPal. Changing their Gmail and online banking passwords is also a good idea.