If you use a PayPal app like a number of people across the globe then you must be aware of the many vicious malware that can affect your Android OS.  But today we will discuss a Trojan that is very malicious and hacks the PayPal app. The malware we are talking about is capable of maliciously transferring money to the tune of $1000 by using the official PayPal app circumventing the two-factor authentication of PayPal.

The malware is disguised as an Android optimization tool and can gain entry to your phone through third-party apps but not from Google Play Store. This Trojan claims to make the phone battery more efficient.

How does the malware work?

The malware uses your Android’s Accessibility services. After it is downloaded the malware creates an Accessibility service called “Enable Statistics.”  The service is to ostensibly monitor user action and retrieve window content with the aim of making your phone faster. So far so good, but when the user gives these permissions he sees a notification that looks like an official  Paypal notification urging the user to log in. As soon as the user logs in the app takes over.

The user himself aids the malware to overcome the 2FA authentication. The user does not find anything amiss as the log in is in the official PayPal app and thus he enters the authentication. This is the stage where the app tries to transfer money in the users PayPal account to the attacker’s account and it does so in a jiffy in less than 5 seconds.

Too quick to stop

Once the process starts there is no stopping the app. The only thing that can stop the app from achieving its aim of transferring money is that your PayPal account doesn’t have sufficient amount of money and you have also not approved other alternative funding methods. In such a case, the transaction fails and does not go through by default and your hard earned money is saved from going into the wrong hands.   

Another trick that the malware plays is to display illegitimate login screens over legitimate apps making use of the Android’s screen overlay features. Most legitimate apps that are commonly used like Viber, Skype and WhatsApp are targeted with fake phishing screens. These screens are also displayed over banking apps and Gmail app prompting the users to enter their credit card numbers and banking and Gmail credentials as the case may be which can then be misused.

According to experts at We Live Security the creators of this malware would be looking to expand the scope of their Trojan especially the screen overlaying method. The experts have deduced that the Trojan’s code has strings that warn that the phone has been locked for display of child pornography. It then goes on to add that the only way to unlock the phone is to send an email to the given address. It is still unclear whether the makers of this malware are into the game for extortion or whether the screen –overlaying functionality would be used to hide other malicious activities taking place behind the screen.

According to our analysis, the authors of this Trojan have been looking for further uses for this screen-overlaying mechanism. The malware’s code contains strings claiming the victim’s phone has been locked for displaying child pornography and can be unlocked by sending an email to a specified address. Such claims are reminiscent of early mobile ransomware attacks, where the victims were scared into believing their devices were locked due to reputed police sanctions. It is unclear whether the attackers behind this Trojan are also planning to extort money from victims, or whether this functionality would merely be used as a cover for other malicious actions happening in the background.

What safety precautions to take?

1. The first, foremost and the easiest way to keep your account safe is to shun all third-party app stores.  Never fall prey to stores that promise paid apps for free. Only Google Play should be used to install apps.
2. Even though Google Play is the safest option to download an app but it should not restrict you from doing a thorough research about the app you want to download.  Learn as much as you can from different sources, read news, reviews and comments about the app before deciding to download the app. You must remember Google Play can also be attacked by malware. While reading reviews go thoroughly through the negative reviews as the makers of such malware could publish positive reviews.
3. Do not under any circumstances install pirated apps.  Not only are such apps trashy but they expose your devices and data to malware.
4. Be wary of installing an app from an external source and take extreme precautions before downloading any app.