Android Trojan Steals Money From PayPal Accounts Even With 2FA On

ESET researchers have discovered a new Android Trojan using a novel Accessibility-abusing technique that targets the official PayPal app, and is capable of bypassing PayPal's two-factor authentication. A report elaborates: At the time of writing, the malware is masquerading as a battery optimization tool, and is distributed via third-party app stores. After being launched, the malicious app terminates without offering any functionality and hides its icon. This video, courtesy of ESET, demonstrates the process in practice.

Re:99.999999% of Users NOT at Risk?

[TheCowSaysMoo]

I suspect that that FIDO U2F would be immune from this type of attack. Or a Google Authenticator keyboard similar to what password safe does.

I don't see how any type of authentication would be immune from this attack. This malware does zero authentication; it's all done by the user. The malware *prompts* the user to login and, after the user completes all authentication, the malware then "steps in and mimics the user’s clicks to send money to the attacker’s PayPal address."

This is the equivalent of someone posing as a computer repairman for a 95-year-old and asking them to login to their bank account so the repairman can give it a "security check" and then the repairman transfers all the funds to their own account. No authentication in the world is going to stop that because the user has granted too much permission to someone that never should have had permission in the first place.