Android Trojan Steals Money From PayPal Accounts Even With 2FA On

ESET researchers have discovered a new Android Trojan using a novel Accessibility-abusing technique that targets the official PayPal app, and is capable of bypassing PayPal's two-factor authentication. A report elaborates: At the time of writing, the malware is masquerading as a battery optimization tool, and is distributed via third-party app stores. After being launched, the malicious app terminates without offering any functionality and hides its icon. This video, courtesy of ESET, demonstrates the process in practice.

Because PayPal's 2FA is shit

[AmiMoJo]

PayPal still sends you codes by SMS, so of course any software on your phone that can intercept SMS messages can read them. They don't seem to support U2F at all.

Re:Because PayPal's 2FA is shit

[JaredOfEuropa]

Even some banks do this. People need to understand that SMS is NOT 2FA... especially when the device handling the payment is the same one that is receiving the auth code.

The real purpose of 2FA

2FA has always been just an excuse for them to get people to surrender their phone numbers and other private information.

Phone numbers are less likely to change and can more or less uniquely identify a person. Sell phone number information to 3rd parties and those 3rd parties can easily identify other services that you use and create profiles on you.

There are things to say about Apples closed gate.

[jellomizer]

Now it really sucks that I cannot use my iDevice to play game ROMs emulate PC's or have my own programming language so I can use my phone as a personal computer with a tiny screen.
However the apps for the device, I download for the most part usually work well, and are not malware.

Re:There are things to say about Apples closed gat

[Solandri]

However the apps for the device, I download for the most part usually work well, and are not malware.

The same is true for Android. The apps I download for my Android device, for the most part usually work well and are not malware. I think we're just seeing the effect of Android's 88% market share vs iOS's 12%. Even if there's the same amount of malware for each OS, it has 7x the impact on Android so there are 7x as many news stories about it. And malware authors get 7x the return on investment attacking Android than they do iOS, so even if all other things are equal they're more likely to target it.

Obscurity is not security.

Not in the Google Play store

[Monoman]

These exploits almost always require extra steps to get the offending app installed.

"At the time of writing, the malware is masquerading as a battery optimization tool, and is distributed via third-party app stores."

99.999999% of Users NOT at Risk?

[TheCowSaysMoo]

First Problem: "At the time of writing, the malware is [...] distributed via third-party app stores." I searched Google Play and confirmed it's not listed. Your average user doesn't even know third-party app stores exist.

Second Problem: "[The malware sends a request that] is presented to the user as being from the innocuous-sounding 'Enable statistics' service." The screen states that the service will "Observe your actions: Receive notifications when you're interacting with an app" and "Retrieve window content: Inspect the content of a window you're interacting with." Do the authors know the definition of the word innocuous? Because those permissions do not seem to fit the standard definition. At a minimum, it reads like spyware.

Third Problem: The "PayPal" alert that appears is identified in the notification as "Optimization Android," not "PayPal." If you're wandering around third-party Android app stores, you should be knowledgeable enough to recognize this. I don't wander around third-party Android app stores, but if I receive a notification I'm not expecting, I *always* check the source at the top of the notification.

So, if I manage to download a "battery optimization" app from somewhere other than the Google Play store and then enable what reads like spyware and have PayPal installed and decide that it's completely okay/normal for PayPal to coincidentally alert me to confirm my account right after agreeing to spyware privileges, I'm at risk.

Also, it seems like this is not just a PayPal issue, but a "user giving too many privileges to an app" issue since TFA shows the malware's phishing screen overlays for Gmail, Google Play, WhatsApp, Viber, and Skype. And, given how the malware works, it seems that it could be applied to any installed app, so are they targeting PayPayl simply because of the number of installs and not because of any inherent flaws in PayPal's app?

Re:99.999999% of Users NOT at Risk?

[AvitarX]

I'd think that SMS as the only 2FA option is a problem with paypal.

There's been multiple reports of SMS hijacking (usually with social engineering at a phone company) leading to theft.

Sure, "Retrieve Window Content" likely invalidates most other 2FA on the same phone, but I suspect that that FIDO U2F would be immune from this type of attack. Or a Google Authenticator keyboard similar to what password safe does.

SMS is almost certainly not secure, and as we see here, it really doesn't even protect from an automated attack.

Re:99.999999% of Users NOT at Risk?

[TheCowSaysMoo]

I suspect that that FIDO U2F would be immune from this type of attack. Or a Google Authenticator keyboard similar to what password safe does.

I don't see how any type of authentication would be immune from this attack. This malware does zero authentication; it's all done by the user. The malware *prompts* the user to login and, after the user completes all authentication, the malware then "steps in and mimics the user’s clicks to send money to the attacker’s PayPal address."

This is the equivalent of someone posing as a computer repairman for a 95-year-old and asking them to login to their bank account so the repairman can give it a "security check" and then the repairman transfers all the funds to their own account. No authentication in the world is going to stop that because the user has granted too much permission to someone that never should have had permission in the first place.