Android Trojan Steals Money From PayPal Accounts Even With 2FA On

ESET researchers have discovered a new Android Trojan using a novel Accessibility-abusing technique that targets the official PayPal app, and is capable of bypassing PayPal's two-factor authentication. A report elaborates: At the time of writing, the malware is masquerading as a battery optimization tool, and is distributed via third-party app stores. After being launched, the malicious app terminates without offering any functionality and hides its icon. This video, courtesy of ESET, demonstrates the process in practice.

Re:Because PayPal's 2FA is shit

[JaredOfEuropa]

Even some banks do this. People need to understand that SMS is NOT 2FA... especially when the device handling the payment is the same one that is receiving the auth code.