The Cloud Consultancy Europe Ltd.
+44 (0) 203 637 6667 [email protected]

ESET researchers have unearthed a new Android Trojan that tricks users into logging into PayPal, then takes over and mimics the user’s clicks to send money to the attacker’s PayPal address.

The heist won’t go unnoticed by the victim if they are looking at the phone screen, but they will also be unable to do anything to stop the transaction from being executed as it all happens in a matter of seconds.

The only thing that will prevent the theft is if the user has insufficient PayPal balance and no payment card connected to the account.

Aside from this primary function, the Trojan is also able to show overlay phishing screens for Google Play, WhatsApp, Skype, Viber and Gmail. Their purpose is to collect credit card details or account login credentials (Gmail) from the victim.

“We’ve also seen overlay screens for legitimate banking apps requesting login credentials to victims’ internet banking accounts,” ESET malware researcher Lukas Stefanko noted.

“Unlike overlays used by most Android banking Trojans, these are displayed in lock foreground screen – a technique also used by Android ransomware. This prevents the victims from removing the overlay by tapping the back button or the home button. The only way to get past this overlay screen is to fill out the bogus form, but fortunately, even random, invalid inputs make these screens disappear.”

The PayPal funds-stealing function is made possible if, upon installing the bogus battery optimization app that carries the Trojan, the victim has allowed it to activate a malicious Accessibility service.

If the official PayPal app is installed on the compromised device, the malware displays a notification alert prompting the user to launch it. Once the user opens it and logs in, the malicious accessibility service steps in to perform the transaction.

“During our analysis, the app attempted to transfer 1000 euros, however, the currency used depends on the user’s location,” Stefanko explained.

“Because the malware does not rely on stealing PayPal login credentials and instead waits for users to log into the official PayPal app themselves, it also bypasses PayPal’s two-factor authentication (2FA). Users with 2FA enabled simply complete one extra step as part of logging in, – as they normally would – but end up being just as vulnerable to this Trojan’s attack as those not using 2FA.”

This particular Trojan bundled up with the bogus battery optimization app is distributed via third-party app stores, but the researchers also spotted five malicious apps with similar capabilities on Google Play, masquerading as tools for tracking the location of other Android users.

That malware concentrates on phishing the credentials for online banking services for several Brazilian banks, as well as on thwarting uninstallation attempts by AV or app manager apps.

What to do?
ESET has notified the online stores about the malicious offerings and have also notified PayPal of the malicious technique used by the Trojan and the PayPal account used by the attacker.

Users who have installed the PayPal-targeting Trojan would do well to check if their accounts have been drained (the malware can repeat the stealing manoeuvre) and to report the unauthorized transactions to PayPal. Changing their Gmail and online banking passwords is also a good idea.

“For devices that are unusable due to a lock screen overlay displayed by this Trojan, we recommend using Android’s Safe Mode, and proceed with uninstalling an app named “Optimization Android” under Settings > (General) > Application manager/Apps,” Stefanko added.

“Uninstalling in Safe Mode is also recommended for Brazilian users who installed one of the Trojans from Google Play.”

The names of those malicious packages are provided in this blog post.