12 Dec 2018

A new Android malware assuming as a battery optimization tool can steal money from users’ PayPal accounts in spite of having two-factor authentication protection. It allows them to easily log into the app.

Strategy to steal PayPal funds

The app which is named as Optimization Android is available from unofficial third-party stores and not through the official Play Store. When it is launched, the app closes and gets hidden and provides no specific functionality.

For transferring the funds to the attacker’s address, the malware imitates the user interaction with the PayPal app. This malicious app makes use of a built-in accessibility service which is needed to send a message to the user to launch the PayPal app if it is installed on the device.

During installation, the app requests access to the Android “Accessibility” permission which is a very dangerous feature that allows an app to automate screen taps and OS interactions. To enable the accessibility service, a message appears to activate statistics for the fake battery optimization software.

According to malware analysts from ESET, when a user opens the PayPal app and logs in with their credentials, this malicious accessibility service which is already enabled by the user imitates the user’s clicks to send money to the attacker’s PayPal address.

The notification to launch PayPal pops up as a request to verify the account or anything of that sort as long as the user responds to it.

When the malicious activity was checked it is seen that the app tried to transfer 1,000 euros and the whole process takes just five seconds. A user will not even get a chance to stop the fraudulent transaction suddenly.

Two-factor authentication provides no defense at all as in this case the login was a legitimate action done by the user with the correct authentication process.

Check the below video to find how the malicious app performs the transfer of funds to the attacker’s address.

The researchers found that the accessibility service is active at every PayPal launch and so the attack can be done multiple times. The only time it fails is when the user runs out of money or doesn’t have any funds in his PayPal account.

Running overlay attacks

The researchers state that the malicious app also runs a phishing game to steal card data from Google Play, WhatsApp, Skype, Viber, and Gmail’s login credentials. Other apps targeted are from Uber, Netflix, and several banks.

Even though these apps are default, ESET says that the developer can update the record at any time. Hunting the email credentials is probably to delete the messages from PayPal that inform the account owner of the money transfer.

The victims are not able to use the back button to avoid the overlay screen and they just have the option to fill in the form. The only trick the victim can perform is to type wrong information.

Besides these abilities the malicious app can intercept, send and delete text messages, change the default SMS app, get the contact list, make and forward calls, obtain the list of installed apps, install and run apps and start socket communication.

Leave your thought