In a blog post, researcher Lukas Stefanko wrote that right now the trojan was pretending to be a battery optimisation tool and was distributed by third-party app stores.
The app terminated after being launched and hid its icon, with its functionality being in two parts.
Stealing money from PayPal accounts was achieved by activating a malicious Accessibility service guised in the name of "enable statistics". If the official PayPal app was present on the device to which the trojan had been downloaded, then the user would be prompted to launch it.
The pop-up for a malicious Accessibility service guised in the name of "enable statistics".
He said during the analysis carried out by ESET, the app made an attempt to transfer €1000 with the time taken for the process being about five seconds, hardly enough to intervene. The currency would, of course, differ from region to region.
The interesting thing was because this attack was not using the PayPal credentials, it also bypassed the two-factor authentication used by the app.
"Users with 2FA enabled simply complete one extra step as part of logging in — as they normally would — but end up being just as vulnerable to this trojan’s attack as those not using 2FA," Stefanko wrote.
The attack would fail in the event that the PayPal account in question had an inadequate balance and no payment card linked to it.
The trojan had overlays for five apps: Google Play, WhatsApp, Skype, Viber, and Gmail.
Overlays created by the Android trojan for Google Play, WhatsApp, Viber and Skype, requesting credit card details.
Four of these overlays phished for credit card details while the one for Gmail tried to obtain login details for the webmail service.
Stefanko said he had also glimpsed overlays for legitimate banking apps, one example being the app for NAB.
Apart from these two functions, the trojan also had the ability to:
- Intercept and send SMS messages; delete all SMS messages; change the default SMS app (to bypass SMS-based two-factor authentication);
- Obtain the contact list;
- Make and forward calls;
- Obtain the list of installed apps;
- Install app, run installed app; and
- Start socket communication.
A malicious overlay created by the trojan for the National Australia Bank app.
Images: courtesy ESET