Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Trojan Steals Money From PayPal Accounts Even With 2FA On (welivesecurity.com)

Posted by msmash on from the security-woes dept.

ESET researchers have discovered a new Android Trojan using a novel Accessibility-abusing technique that targets the official PayPal app, and is capable of bypassing PayPal's two-factor authentication. A report elaborates: At the time of writing, the malware is masquerading as a battery optimization tool, and is distributed via third-party app stores. After being launched, the malicious app terminates without offering any functionality and hides its icon. This video, courtesy of ESET, demonstrates the process in practice.

4 of 56 comments (clear)

  1. Re:Because PayPal's 2FA is shit by JaredOfEuropa · · Score: 4, Insightful

    Even some banks do this. People need to understand that SMS is NOT 2FA... especially when the device handling the payment is the same one that is receiving the auth code.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  2. The real purpose of 2FA by Anonymous Coward · · Score: 3, Insightful

    2FA has always been just an excuse for them to get people to surrender their phone numbers and other private information.

    Phone numbers are less likely to change and can more or less uniquely identify a person. Sell phone number information to 3rd parties and those 3rd parties can easily identify other services that you use and create profiles on you.

  3. There are things to say about Apples closed gate. by jellomizer · · Score: 3, Insightful

    Now it really sucks that I cannot use my iDevice to play game ROMs emulate PC's or have my own programming language so I can use my phone as a personal computer with a tiny screen.
    However the apps for the device, I download for the most part usually work well, and are not malware.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  4. Re:There are things to say about Apples closed gat by Solandri · · Score: 3, Insightful

    However the apps for the device, I download for the most part usually work well, and are not malware.

    The same is true for Android. The apps I download for my Android device, for the most part usually work well and are not malware. I think we're just seeing the effect of Android's 88% market share vs iOS's 12%. Even if there's the same amount of malware for each OS, it has 7x the impact on Android so there are 7x as many news stories about it. And malware authors get 7x the return on investment attacking Android than they do iOS, so even if all other things are equal they're more likely to target it.

    Obscurity is not security.