0

There have been some bad trojans found on Android, but this is possibly one of the worst. This new threat automates a PayPal transaction for $1000 and sends it using the official PayPal app—even on accounts with 2FA enabled.

The PayPal Hijack

It does this using a couple of different methods and leveraging Android’s Accessibility services. The malicious app is currently disguising itself as an Android optimization tool and has been making its way onto users’ phones through third-party app stores. So for starters, don’t use third-party app stores.

When installed, “Optimization Android” (seriously, why would you install something with a name like this in the first place?) also creates an Accessibility service called “Enable statistics.” It then requests access to this feature, which seems harmless enough—it will allow the app to monitor user actions and retrieve window content. If you think it’s all in the name of making your phone faster, it almost makes sense.

But that’s where things get worse because now the trojan can effectively emulate touches. It generates a notification that looks like it’s from PayPal urging the user to log in.

When tapped, this notification opens the official PayPal app (if installed)—so this isn’t a phishing attempt. The official app opens and asks the user to log in. Since this a legitimate login attempt within the official app, 2FA does nothing to secure the account—you’ll just log in as normal, entering your 2FA code when it comes in.

Once you’re logged in, the malicious app takes over, transferring $1000 from your PayPal account to the attacker. This automated process happens in fewer than five seconds. We Live Security made a video of the entire process, and it’s pretty crazy how fast it all happens:

Read the remaining 13 paragraphs


Post a Comment Blogger

We welcome comments that add value to the discussion. We attempt to block comments that use offensive language or appear to be spam, and our editors frequently review the comments to ensure they are appropriate. As the comments are written and submitted by visitors of The Sheen Blog, they in no way represent the opinion of The Sheen Blog. Let's work together to keep the conversation civil.

 
Top