New Android Trojan Even Tricks 2FA Into Stealing Money From PayPal

new android trojan

Image Source: welivesecurity (screenshot)

Every now and then we hear about malicious Android apps robbing users of money or personal information. Now we are hearing of a new Android Trojan targeting users with PayPal accounts.

A smart Trojan

This new Android Trojan hides inside a battery optimization app and steals money from users’ PayPal accounts. The Trojan even tricks users protected by two-factor authentication, according to the cyber-security firm ESET.

The app this Trojan uses is Optimization Battery. One good thing about it is that the app is not available through the Play Store. It can only be downloaded from third-party app stores, so the threat is affecting a relatively small number of users.

However, the Android Trojan seems incredibly dangerous in the way it operates, and if it somehow manages to sneak into the Play Store, it could be a serious problem. This new Android Trojan includes an automated system which triggers a money transfer from PayPal without giving the victim any chance to stop it. The automatic transfer is possible because during installation, the app requests access to Android’s “Accessibility,” which allows it to automate screen taps and interactions.

Moreover, the Trojan behaves very smartly. It does not use the granted permission right after it’s installed. Instead, it waits for the user to open the PayPal app, either on their own or by sending a false notification to get them to open it. Once the user opens the PayPal app, logs in and enters their password and two-factor authentication code, the Android Trojan shifts into action.

It uses the permission granted during installation to open a new PayPal transfer, enter the amount and approve it in seconds. In at least one case, the malicious app transferred $1,000 from the victim’s PayPal account to the hacker’s.

 “The whole process takes about 5 seconds, and for an unsuspecting user, there is no feasible way to intervene in time,” ESET said in a blog post.

The same process is repeated each time the PayPal app is opened. The transaction fails if a user does not have enough money in their account or has not linked a card or bank account which contains the requested funds. The security firm has posted a video showing how the Trojan operates.

Should you be worried?

Even though the way this new Android Trojan operates is pretty scary, not every PayPal user needs to be worried about it. Once again, the malicious app this Trojan uses is not available in the Play Store, so if you install apps only from the Play Store and have turned off unknown installations, then you have no reason to worry.

PayPal has also been informed about the Trojan. Hopefully the company will  come up with an update to end it soon.

What more can this new Android Trojan do?

This Trojan also attempts to steal crucial information from other Android users as well. It pushes overlay screens for apps like Skype, WhatsApp and others which require your credit card details. It also pops up an overlay screen for the user’s Google account to get their password and then use it steal other crucial information.  

“Unlike overlays used by most Android banking Trojans, these are displayed in lock foreground screen – a technique also used by Android ransomware. This prevents the victims from removing the overlay by tapping the back button or the home button,” the security firm says.

The only way to bypass this overlay screen is to enter incorrect credentials. Overlay screens are currently limited to the above-mentioned apps, but the security firm notes that the authors of this Trojan are searching for more potential uses.

Tricking PayPal users and using overlay screens are not the only things this new Android Trojan can do. According to ESET researchers, it can also intercept and send SMS messages, remove all SMS messages, change the default SMS app; steal the user’s contact list; get a list of their installed apps; install an app and run it; make and forward calls; and initiate socket communications.

 Thus, this Trojan could harm any unsuspecting Android user. If your device is infected or if you believe you have installed any such app, then quickly uninstall it, or, as a precaution, do a factory reset of your device.




About the Author

Aman Jain
Aman is MBA (Finance) with an experience on both Marketing and Finance side. He has worked as a Risk Analyst for AIR Worldwide, and is currently leading VeRa FinServ, a Financial Research firm. Favorite pastimes include watching science fiction movies, reviewing tech gadgets, playing PC games and cricket. - Email him at amanjain@valuewalk.com