Security Market Segment LS
Wednesday, 12 December 2018 06:05

Android trojan steals from PayPal app even with 2FA on

Android trojan steals from PayPal app even with 2FA on Pixabay

Slovakian security firm ESET says it has discovered a new Android trojan that has the capabilities of remotely connected malware with misuse of Android Accessibility services to target PayPal app users.

In a blog post, researcher Lukas Stefanko wrote that right now the trojan was pretending to be a battery optimisation tool and was distributed by third-party app stores.

The app terminated after being launched and hid its icon, with its functionality being in two parts.

Stealing money from PayPal accounts was achieved by activating a malicious Accessibility service guised in the name of "enable statistics". If the official PayPal app was present on the device to which the trojan had been downloaded, then the user would be prompted to launch it.

"Once the user opens the PayPal app and logs in, the malicious accessibility service (if previously enabled by the user) steps in and mimics the user’s clicks to send money to the attacker’s PayPal address," Stefanko wrote.

save stats

The pop-up for a malicious Accessibility service guised in the name of "enable statistics".

He said during the analysis carried out by ESET, the app made an attempt to transfer €1000 with the time taken for the process being about five seconds, hardly enough to intervene. The currency would, of course, differ from region to region.

The interesting thing was because this attack was not using the PayPal credentials, it also bypassed the two-factor authentication used by the app.

"Users with 2FA enabled simply complete one extra step as part of logging in — as they normally would — but end up being just as vulnerable to this trojan’s attack as those not using 2FA," Stefanko wrote.

The attack would fail in the event that the PayPal account in question had an inadequate balance and no payment card linked to it.

The trojan had overlays for five apps: Google Play, WhatsApp, Skype, Viber, and Gmail.


Overlays created by the Android trojan for Google Play, WhatsApp, Viber and Skype, requesting credit card details.

Four of these overlays phished for credit card details while the one for Gmail tried to obtain login details for the webmail service.

Stefanko said he had also glimpsed overlays for legitimate banking apps, one example being the app for NAB.

Apart from these two functions, the trojan also had the ability to:

  • Intercept and send SMS messages; delete all SMS messages; change the default SMS app (to bypass SMS-based two-factor authentication);
  • Obtain the contact list;
  • Make and forward calls;
  • Obtain the list of installed apps;
  • Install app, run installed app; and
  • Start socket communication.

 nab overlay

A malicious overlay created by the trojan for the National Australia Bank app.

Images: courtesy ESET


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments