Security Market Segment LS
Wednesday, 12 December 2018 06:05

Android trojan steals from PayPal app even with 2FA on

Android trojan steals from PayPal app even with 2FA on Pixabay

Slovakian security firm ESET says it has discovered a new Android trojan that has the capabilities of remotely connected malware with misuse of Android Accessibility services to target PayPal app users.

In a blog post, researcher Lukas Stefanko wrote that right now the trojan was pretending to be a battery optimisation tool and was distributed by third-party app stores.

The app terminated after being launched and hid its icon, with its functionality being in two parts.

Stealing money from PayPal accounts was achieved by activating a malicious Accessibility service guised in the name of "enable statistics". If the official PayPal app was present on the device to which the trojan had been downloaded, then the user would be prompted to launch it.

"Once the user opens the PayPal app and logs in, the malicious accessibility service (if previously enabled by the user) steps in and mimics the user’s clicks to send money to the attacker’s PayPal address," Stefanko wrote.

save stats

The pop-up for a malicious Accessibility service guised in the name of "enable statistics".

He said during the analysis carried out by ESET, the app made an attempt to transfer €1000 with the time taken for the process being about five seconds, hardly enough to intervene. The currency would, of course, differ from region to region.

The interesting thing was because this attack was not using the PayPal credentials, it also bypassed the two-factor authentication used by the app.

"Users with 2FA enabled simply complete one extra step as part of logging in — as they normally would — but end up being just as vulnerable to this trojan’s attack as those not using 2FA," Stefanko wrote.

The attack would fail in the event that the PayPal account in question had an inadequate balance and no payment card linked to it.

The trojan had overlays for five apps: Google Play, WhatsApp, Skype, Viber, and Gmail.


Overlays created by the Android trojan for Google Play, WhatsApp, Viber and Skype, requesting credit card details.

Four of these overlays phished for credit card details while the one for Gmail tried to obtain login details for the webmail service.

Stefanko said he had also glimpsed overlays for legitimate banking apps, one example being the app for NAB.

Apart from these two functions, the trojan also had the ability to:

  • Intercept and send SMS messages; delete all SMS messages; change the default SMS app (to bypass SMS-based two-factor authentication);
  • Obtain the contact list;
  • Make and forward calls;
  • Obtain the list of installed apps;
  • Install app, run installed app; and
  • Start socket communication.

 nab overlay

A malicious overlay created by the trojan for the National Australia Bank app.

Images: courtesy ESET


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments