Android Trojan Steals Money From PayPal Accounts Even With 2FA On

ESET researchers have discovered a new Android Trojan using a novel Accessibility-abusing technique that targets the official PayPal app, and is capable of bypassing PayPal's two-factor authentication. A report elaborates: At the time of writing, the malware is masquerading as a battery optimization tool, and is distributed via third-party app stores. After being launched, the malicious app terminates without offering any functionality and hides its icon. This video, courtesy of ESET, demonstrates the process in practice.

Because PayPal's 2FA is shit

[AmiMoJo]

PayPal still sends you codes by SMS, so of course any software on your phone that can intercept SMS messages can read them. They don't seem to support U2F at all.

Re:Because PayPal's 2FA is shit

[mermeid007]

This symptom happens a lot in android with apps designed for previous versions. Google changes something in the core activity/intent lifecycle and apps break for apparently no reason.

Re:Because PayPal's 2FA is shit

[JaredOfEuropa]

Even some banks do this. People need to understand that SMS is NOT 2FA... especially when the device handling the payment is the same one that is receiving the auth code.

Re:Because PayPal's 2FA is shit

[Deathlizard]

they used to sell hardware based 2FA keys from verisign, but they dropped support once the Paypal app came out.

It's the #1 reason why I don't use the app. To use it you have to disable your old hardware key, which still works for me.

Re:Because PayPal's 2FA is shit

If you do both auth requests on the same device you do not really have 2fa - esp. es this is a phone. If you have two virtual machines on a pc or laptop then this may but does not have to be 2fa. Bottom line is - the 2factor means separation big enough. One smartphone cannot provide it. As always there is certain level of comfort that you cannot exceed if it is dealing with your money. After all the paper money when they were introduced were also PITA but provided some security by removing a need to carry silver and gold with you. now you need two phones I guess and they should be really separated or somebody develops an app that connects actions on all accounts connected to e.g. FB and SMS received on one is then captured and info passed to another instance on another device. I am sure if two devices are popular option at some day this will happen eventually too.

Re:Because PayPal's 2FA is shit

[JaredOfEuropa]

SMS in itself is not an auth factor in the sense of "something you have". Your phone may be "something you have" if there is a way it can positively identify itself in a way that cannot be duplicated. For example by using the Google Authenticator app. The problem with SMS is that it is your SIM card that becomes "someting you have"... and SIM cards can be cloned relatively easily. Not easy enough to do it en masse, but it's worth the effort once you've identified a high value target. They've used this to get at bank accounts with a lot of money in them, or to hijack high profile social media accounts for ransom.

Re:Because PayPal's 2FA is shit

What he is saying that even Google Authenticator is not 2FA if it is running on the same device as app that needs to be authenticated.

Even though the apps are sandboxed, a compromised kernel will have access to both token generator and app that needs to be authenticated.

Re:Because PayPal's 2FA is shit

[ctilsie242]

The ironic thing is that SIM cards support apps that can run solely on the SIM card and not leave it. AT&T had something called Softcard. This used an app on the SIM card to authenticate transactions. It didn't matter what the phone did as all the authentication happened on the individual SIM card.

Google bought this technology, and is sitting on it. Wish they would use it.

Re:Because PayPal's 2FA is shit

[thegarbz]

People need to understand that SMS is NOT 2FA...

My company doesn't understand this either. We use Microsoft authenticator for 2FA codes. Problem is, software used on the phone (e.g. SAP Concur) then request for 2FA authorisation from the same phone. It's the biggest waste of time in the world given that it already knows I'm on an approved phone and helpfully bypasses the first factor.

Re: Because PayPal's 2FA is shit

Indeed. For a few years PayPal let you use Symantecâ(TM)s VIP 2FA app, but it was hell configuring it. It got to the point PayPal kinda half removed access to its VIP Access configuration page and I figured out I could get to it only by clicking âoecancelâ on some screen, like a Zork game. But after 2-3 years that stopped working, too, so I called PayPal tech support. The 1st tier agent transferred me to a 2nd tier agent, whoâ(TM)d never heard of VIP Access and tried to tell me I didnâ(TM)t need it. Result: I canceled my PayPal account immediately after having it since 2002.

And for the 2-3 years VIP Access worked, I posted feedback on PayPal boards, including its so-called live internal board, plus emailed support and executives about. Theyâ(TM)re garbage.

PayPal is a dumpster-fire company entering late-stage MySpace-Yahoo-AOL decline.

Re:Because PayPal's 2FA is shit

Indeed. PayPal used to support time-based OTP (the PayPal "Football"), but they deprecated that years ago in favor of SMS.

Re: Because PayPal's 2FA is shit

[houghi]

So the autenticator app that is on my phone is good, but the sms that is on my phone is not good?

Re:Because PayPal's 2FA is shit

2FA needs to be out-of-band to be secure.

This means you can use SMS, Google Authenticator, etc... as 2nd factor to authenticate to a webapplication on your PC, but you can't use these to authenticate to an app on your phone. (Malware could intercept this.)
For secure 2FA of mobile apps, you need a 2nd factor not involving your phone.

Whatever.

Who needs PayPal, anyway?

No one.

Canceled years ago because they made yet another change to their terms and conditions and and all the embedded documents in the EULA after a few days or whatever.

I actually read them - once.

In a nutshell it states, 'we're gonna fuck the seller and then the buyer but we, PayPal will never take a hit. Fuck you ; pay me! Got a problem with that? Come to California, use our arbitration firm and Fuck you!'

Re:No one.

[OrangeTide]

You don't have to use arbitration if PayPal breaks the law. And that includes negligence. It'll be the civil court system and it's probably not worth attempting as an individual unless you lost hundreds of thousands of dollars.

For small amounts it might be fun to take PayPal to small claims court in any state they do business. Depending on your state, it's no skin off you back if the case doesn't work out. And PayPal would have to bring in a lawyer to represent them, costing them probably more than they owe you. Logically they should settle once a hearing is schedule, and save themselves a lot of money. But admittedly corporations can't be trusted to behave in a rational way.

The real purpose of 2FA

2FA has always been just an excuse for them to get people to surrender their phone numbers and other private information.

Phone numbers are less likely to change and can more or less uniquely identify a person. Sell phone number information to 3rd parties and those 3rd parties can easily identify other services that you use and create profiles on you.

Because it’s not 2-factor! None of those are

It’s twice the same factor! Just with one a bit disguised.

While the point of 2-factor is to have two DIFFERENT factors.

I have yet to see a mainstream service that used actual two-factor auth. Let alone 3-factor, how it should be.

PayPal = best avoided, period.

Seriously, it's been obvious for years that PayPal was adding risk to transactions and that those victimized had little or no recourse.

For this alone, I hope Elon Musk and Peter Thiel both get terminal cancer.

Re:PayPal = best avoided, period.

[110010001000]

When Musk makes his colony on Mars you will have to use Paypal to pay for your Mars Tesla and to use the Hyperloop.

Re:PayPal = best avoided, period.

[Oswald+McWeany]

When Musk makes his colony on Mars you will have to use Paypal to pay for your Mars Tesla and to use the Hyperloop.

Is he still involved in Paypal? I thought he was no longer involved in that business.

Re: PayPal = best avoided, period.

[fifi220]

worth the effort once you've identified a high value target. They've https://audacity.onl/ https://findmyiphone.onl/ https://origin.onl/ used this to get at bank accounts with a lot of m

Re: Because it’s not 2-factor! None of those

There is a very easy fix for this but hardly anyone ever tries it. Check the FAQ on the android app deployment tutorial. Itâ(TM)s very easy. Something like filling in all the optional xml attributes in the manifest.

There are things to say about Apples closed gate.

[jellomizer]

Now it really sucks that I cannot use my iDevice to play game ROMs emulate PC's or have my own programming language so I can use my phone as a personal computer with a tiny screen.
However the apps for the device, I download for the most part usually work well, and are not malware.

No excuses.

This symptom happens a lot in android with apps designed for previous versions. Google changes something in the core activity/intent lifecycle and apps break for apparently no reason.

If one is going to develop for Android then they have to take that into consideration because it's on YOU in the end.

I WAS a Developer on the OS/2 for Windows team in the early 90s and I KNOW what it's like to have shit break on you ...because. But it was on us - regardless of what IBM Marketing said.

Also, if the Android team is making such changes like that where app developers can't keep up for whatever reason, I'd put much of the blame on the Android team.

Never the less, the pointing fingers bullshit doesn't do anything for the consumers who are the victims. Their only choice is to say, "fuck Android anything. If I want a smartphone, I guess it's Apple and re-mortgaging my house to buy a phone."

Jesus Christ, I almost miss the days of $3,000 IBM PCs running DOS.

I'd say, "get off my lawn" but I'm in a home and it's banana pudding and pizza day and there's Matlock marathon on!

not a problem

Still better than iPhone which steals all your money at purchase

Re:not a problem

[TheFakeTimCook]

Still better than iPhone which steals all your money at purchase

Fuck off, COWARD!

Re:not a problem

Fuck off, COWARD!

Your tears sustain us.

Re:There are things to say about Apples closed gat

[Solandri]

However the apps for the device, I download for the most part usually work well, and are not malware.

The same is true for Android. The apps I download for my Android device, for the most part usually work well and are not malware. I think we're just seeing the effect of Android's 88% market share vs iOS's 12%. Even if there's the same amount of malware for each OS, it has 7x the impact on Android so there are 7x as many news stories about it. And malware authors get 7x the return on investment attacking Android than they do iOS, so even if all other things are equal they're more likely to target it.

Obscurity is not security.

Not in the Google Play store

[Monoman]

These exploits almost always require extra steps to get the offending app installed.

"At the time of writing, the malware is masquerading as a battery optimization tool, and is distributed via third-party app stores."

99.999999% of Users NOT at Risk?

[TheCowSaysMoo]

First Problem: "At the time of writing, the malware is [...] distributed via third-party app stores." I searched Google Play and confirmed it's not listed. Your average user doesn't even know third-party app stores exist.

Second Problem: "[The malware sends a request that] is presented to the user as being from the innocuous-sounding 'Enable statistics' service." The screen states that the service will "Observe your actions: Receive notifications when you're interacting with an app" and "Retrieve window content: Inspect the content of a window you're interacting with." Do the authors know the definition of the word innocuous? Because those permissions do not seem to fit the standard definition. At a minimum, it reads like spyware.

Third Problem: The "PayPal" alert that appears is identified in the notification as "Optimization Android," not "PayPal." If you're wandering around third-party Android app stores, you should be knowledgeable enough to recognize this. I don't wander around third-party Android app stores, but if I receive a notification I'm not expecting, I *always* check the source at the top of the notification.

So, if I manage to download a "battery optimization" app from somewhere other than the Google Play store and then enable what reads like spyware and have PayPal installed and decide that it's completely okay/normal for PayPal to coincidentally alert me to confirm my account right after agreeing to spyware privileges, I'm at risk.

Also, it seems like this is not just a PayPal issue, but a "user giving too many privileges to an app" issue since TFA shows the malware's phishing screen overlays for Gmail, Google Play, WhatsApp, Viber, and Skype. And, given how the malware works, it seems that it could be applied to any installed app, so are they targeting PayPayl simply because of the number of installs and not because of any inherent flaws in PayPal's app?

Re:99.999999% of Users NOT at Risk?

[AvitarX]

I'd think that SMS as the only 2FA option is a problem with paypal.

There's been multiple reports of SMS hijacking (usually with social engineering at a phone company) leading to theft.

Sure, "Retrieve Window Content" likely invalidates most other 2FA on the same phone, but I suspect that that FIDO U2F would be immune from this type of attack. Or a Google Authenticator keyboard similar to what password safe does.

SMS is almost certainly not secure, and as we see here, it really doesn't even protect from an automated attack.

Re:99.999999% of Users NOT at Risk?

[TheCowSaysMoo]

I suspect that that FIDO U2F would be immune from this type of attack. Or a Google Authenticator keyboard similar to what password safe does.

I don't see how any type of authentication would be immune from this attack. This malware does zero authentication; it's all done by the user. The malware *prompts* the user to login and, after the user completes all authentication, the malware then "steps in and mimics the user’s clicks to send money to the attacker’s PayPal address."

This is the equivalent of someone posing as a computer repairman for a 95-year-old and asking them to login to their bank account so the repairman can give it a "security check" and then the repairman transfers all the funds to their own account. No authentication in the world is going to stop that because the user has granted too much permission to someone that never should have had permission in the first place.

Re:99.999999% of Users NOT at Risk?

[AvitarX]

I thought FIDO was un MITMable (not quite sure how, but that's their premise).

You need the system itself to have a direct channel to the key (and that to actually be secure), and then the key sends a response.

So basically PayPal sends challenge that goes directly to the key, key sends response directly to PayPal. Malicious app (or website) cannot get in the center of this, because, I don't know, reasons I guess.

I suspect that there is a public key for the destination that is published somehow and therefore the response can't be intercepted. Similarly the challenge can be signed so that it is verified from coming from the correct source.

I guess if it's mimicking clicks using an authenticator app doesn't help.

It looks like to spoof U2F, at the very least they'd need to compramise a cert authority. That seems like it would prevent SMS hijacking and the vast majority of MITM

https://security.stackexchange...

Re:99.999999% of Users NOT at Risk?

[rthille]

The summary is stupid. It has nothing to do with 2FA. Basically, the app use's Android's accessibility features that allow one app to "drive" another app as if it were the user touching the screen. The malware uses that ability, after duping the user to open the Paypal app and authenticate (*however that needs to be done*), to drive the already-logged-in Paypal app in such a way as to transfer money to the malware author.

Re:99.999999% of Users NOT at Risk?

U2F COULD prevent this. a U2F key requires a user's touch to confirm authentication and, in sane and just world, the U2F factor could be required on each payment.

Re:99.999999% of Users NOT at Risk?

[thegarbz]

I'd think that SMS as the only 2FA option is a problem with paypal.

No. Any other 2FA method that uses your mobile phone would be at risk of an app like this.

Using SMS as the only 2FA option is an "imperfection" with Paypal but it most definitely is not a "problem". A problem would be offering no 2FA at all.

Re:99.999999% of Users NOT at Risk?

[AvitarX]

So this would be blocked if PayPal allowed non SMS 2FA to send money? (Similar to any bitcoin or brokerage account I've used)

A nuisance I would likely leave off, since PayPal is about being convenient and I'm pretty sure they'd roll it back (and if not them, my credit card company would), but they really should have the option to secure it if one wants to.

If they allowed 2FA (not SMS) for all unreliable vendors and person to person transfer that'd probably be a nice compromise.

Having SMS only for 2FA is a big issue though, since it allows an app to do the 2FA without the user intervening at all.

It's a trojan, not an 'android trojan'

This habit slashdot has of blaming the OS for the actions of 1. the user and 2. the software authors who steal your details is stupid and biased.

This is a trojan, not an 'android trojan'. It's not part of android, it's not related specifically to android, nor does anyone distributing android provide it packaged with android. The same trojan running on ios or windows mobile or blackberry or hell palmos would do the same thing. If it's running on the device receiving the second factor then it's bypassing 2FA fullstop.

Re: trojan

Or "his" pleasure if you count the number of sick faggots on Slashdot.

Not 2FA

Not this shit again. SMS is not 2FA. And even if it were, in this case it is run on the same device as app that needs to be authenticated.

Re:There are things to say about Apples closed gat

There has yet to be a widespread iOS malware infection in the wild.

Re:There are things to say about Apples closed gat

[farble1670]

Now it really sucks that I cannot use my iDevice to play game ROMs emulate PC's or have my own programming language so I can use my phone as a personal computer with a tiny screen. However the apps for the device, I download for the most part usually work well, and are not malware.

Then don't start Settings apps, select System, select About phone, scroll down, tap the build number 5x, go back, select Developer Options, toggle it on, scroll down and check "Allow from unknown source", read the scary warning dialog that warns you about malware, and select "okay" in spite of that.

here's a solution

Here's a solution, don't use Pay Pal.

Re:There are things to say about Apples closed gat

[TheFakeTimCook]

Now it really sucks that I cannot use my iDevice to play game ROMs emulate PC's or have my own programming language so I can use my phone as a personal computer with a tiny screen.
However the apps for the device, I download for the most part usually work well, and are not malware.

I'm not sure how much fun you would have getting an iPhone or iPad (or Android equivalent) to emulate a PC (or play game ROMs without a decent control-set); but as far as developing your own language, you are absolutely free to fire up XCode and start writing that language. You just can't publish it in the iOS App Store.

A limitation I will gladly trade for NOT having to worry about articles like this one two or three times per week, most every week...

Which is kinda what you ended up saying, right?

Re:There are things to say about Apples closed gat

[thegarbz]

However the apps for the device, I download for the most part usually work well, and are not malware.

And you can get all those same protections by not willfully and manually enabling secondary sources as required for 3rd party app stores.

You can be safe if you're not a complete idiot, but we should never develop devices exclusively for the protection of complete idiots in the way Apple does.

Re:There are things to say about Apples closed gat

And your point? Is it "If you try really hard, you can make your own iPhone stop working well"?

Re:There are things to say about Apples closed gat

[farble1670]

And your point? Is it "If you try really hard, you can make your own iPhone stop working well"?

That refers to an Android phone. If you do all that and get malware on your Android phone, you deserve it.

Re:There are things to say about Apples closed gat

[vlueboy]

That refers to an Android phone. If you do all that and get malware on your Android phone, you deserve it.

HALT! These steps are the gateway to alternative other app stores when you want to avoid the malware that is GOOGLE's constant tracking. I use F-Droid and had to follow the steps --which cannot really be reversed because of the problem later on this paragraph. Others use the Amazon store and must do so too. Just cloning a trusty local APK that you are hoarding and KNOW is fine (or using an App store to do the downloading for you --same problem) fails the installation process and IIRC Google's OS itself leads you on the way to correct that: follow the "computer, disable all Holodeck safeties" steps that were described.

What looks like a willing shot in the foot to you and iOS users becomes a less deliberate choice and more of an only resort if you are managing your own installs.

Doesn't bypass PayPal’s two-factor authentic

[najajomo]

The title is erroneous, in order to work, that mimics user generated mouse-events, the end-user has to first install the app, then enable the app when launching paypal.

Re: There are things to say about Apples closed ga

[houghi]

Sounds a lot like " She was asking for it by wearing that short skirt."

Public/Private Key

[ShoulderOfOrion]

This stupidity won't stop until businesses give up this "SMS as 2FA" nonsense and use GPG-style public key cryptography for authentication.

Re: Public/Private Key

[fofo220]

this case it is run on the same device as app that needs to be authenticated. https://audacity.onl/ https://findmyiphone.onl/ https://origin.onl/

Re: There are things to say about Apples closed ga

[farble1670]

Sounds a lot like " She was asking for it by wearing that short skirt."

Sounds like your mind is wandering to other topics.