Security Market Segment LS
Wednesday, 12 December 2018 06:05

Android trojan steals from PayPal app even with 2FA on

By
Android trojan steals from PayPal app even with 2FA on Pixabay

Slovakian security firm ESET says it has discovered a new Android trojan that has the capabilities of remotely connected malware with misuse of Android Accessibility services to target PayPal app users.

In a blog post, researcher Lukas Stefanko wrote that right now the trojan was pretending to be a battery optimisation tool and was distributed by third-party app stores.

The app terminated after being launched and hid its icon, with its functionality being in two parts.

Stealing money from PayPal accounts was achieved by activating a malicious Accessibility service guised in the name of "enable statistics". If the official PayPal app was present on the device to which the trojan had been downloaded, then the user would be prompted to launch it.

"Once the user opens the PayPal app and logs in, the malicious accessibility service (if previously enabled by the user) steps in and mimics the user’s clicks to send money to the attacker’s PayPal address," Stefanko wrote.

save stats

The pop-up for a malicious Accessibility service guised in the name of "enable statistics".

He said during the analysis carried out by ESET, the app made an attempt to transfer €1000 with the time taken for the process being about five seconds, hardly enough to intervene. The currency would, of course, differ from region to region.

The interesting thing was because this attack was not using the PayPal credentials, it also bypassed the two-factor authentication used by the app.

"Users with 2FA enabled simply complete one extra step as part of logging in — as they normally would — but end up being just as vulnerable to this trojan’s attack as those not using 2FA," Stefanko wrote.

The attack would fail in the event that the PayPal account in question had an inadequate balance and no payment card linked to it.

The trojan had overlays for five apps: Google Play, WhatsApp, Skype, Viber, and Gmail.

overlay

Overlays created by the Android trojan for Google Play, WhatsApp, Viber and Skype, requesting credit card details.

Four of these overlays phished for credit card details while the one for Gmail tried to obtain login details for the webmail service.

Stefanko said he had also glimpsed overlays for legitimate banking apps, one example being the app for NAB.

Apart from these two functions, the trojan also had the ability to:

  • Intercept and send SMS messages; delete all SMS messages; change the default SMS app (to bypass SMS-based two-factor authentication);
  • Obtain the contact list;
  • Make and forward calls;
  • Obtain the list of installed apps;
  • Install app, run installed app; and
  • Start socket communication.

 nab overlay

A malicious overlay created by the trojan for the National Australia Bank app.

Images: courtesy ESET

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments