Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Trojan Steals Money From PayPal Accounts Even With 2FA On (welivesecurity.com)

Posted by msmash on from the security-woes dept.

ESET researchers have discovered a new Android Trojan using a novel Accessibility-abusing technique that targets the official PayPal app, and is capable of bypassing PayPal's two-factor authentication. A report elaborates: At the time of writing, the malware is masquerading as a battery optimization tool, and is distributed via third-party app stores. After being launched, the malicious app terminates without offering any functionality and hides its icon. This video, courtesy of ESET, demonstrates the process in practice.

1 of 56 comments (clear)

  1. 99.999999% of Users NOT at Risk? by TheCowSaysMoo · · Score: 4, Informative

    First Problem: "At the time of writing, the malware is [...] distributed via third-party app stores." I searched Google Play and confirmed it's not listed. Your average user doesn't even know third-party app stores exist.

    Second Problem: "[The malware sends a request that] is presented to the user as being from the innocuous-sounding 'Enable statistics' service." The screen states that the service will "Observe your actions: Receive notifications when you're interacting with an app" and "Retrieve window content: Inspect the content of a window you're interacting with." Do the authors know the definition of the word innocuous? Because those permissions do not seem to fit the standard definition. At a minimum, it reads like spyware.

    Third Problem: The "PayPal" alert that appears is identified in the notification as "Optimization Android," not "PayPal." If you're wandering around third-party Android app stores, you should be knowledgeable enough to recognize this. I don't wander around third-party Android app stores, but if I receive a notification I'm not expecting, I *always* check the source at the top of the notification.

    So, if I manage to download a "battery optimization" app from somewhere other than the Google Play store and then enable what reads like spyware and have PayPal installed and decide that it's completely okay/normal for PayPal to coincidentally alert me to confirm my account right after agreeing to spyware privileges, I'm at risk.

    Also, it seems like this is not just a PayPal issue, but a "user giving too many privileges to an app" issue since TFA shows the malware's phishing screen overlays for Gmail, Google Play, WhatsApp, Viber, and Skype. And, given how the malware works, it seems that it could be applied to any installed app, so are they targeting PayPayl simply because of the number of installs and not because of any inherent flaws in PayPal's app?