Android Trojan Steals Money from PayPal Accounts Even with 2FA on
(Dec 11, 2018)
Researchers from ESET detected a new trojan that has been infecting Android devices to target the official PayPal application. The trojan is distributed via malware found in a fake battery optimisation application found in third-party stores and exploits the Android Accessibility services. The fake battery-optimiser tool offers zero functionality and hides its icon whilst it attempts to gain accessibility service functions on the device. It will request the "enabling of statistics" and then alert the user to launch the official PayPal application if it is already loaded onto the device. Once the user logs into the application, the malicious accessibility service will intervene and mimic the user's clicks to send the threat actor money (1000 euros though currency depends on the user's location) to their PayPal account. The malware also uses phishing displays over legitimate applications such as Gmail, Google Play, Skype, Viber, and WhatsApp, with a credit card details page. This then gives the card credentials to the threat actors.
Recommendation: It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be deployed on devices, particularly those that could contain sensitive information.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.