Malware attacks PayPal, exploits Android

ESET researchers disclosed Dec. 11, 2018, that a Trojan attack vector is exploiting a weakness in the Android operating system. The internet security provider said the malware targets Android users who access the PayPal app and warned that it can override 2-factor authentication. The malicious app is designed to steal money from PayPal accounts and phish for credit card credentials by placing overlays on Google Play, WhatsApp, Skype, Viber, and Gmail.

In a blog post titled “Android Trojan steals money from PayPal accounts, even with 2FA on,” researchers observed that four of the five overlays phish for credit card details. They speculate the Gmail overlay is being used to identify PayPal email notifications, adding, “With access to the victim’s Gmail account, the attackers could delete such emails to remain unnoticed longer.”

Will LaSala, director of security solutions and security evangelist at OneSpan, observed that unlike typical malware strains, the new scheme appears to transfer money from PayPal to the attacker’s account. This underscores the risk of installing apps from unknown sources and the ease with which overlay attacks can hijack a strong application, he stated.

Far-reaching capabilities

“This starts with the user being tricked into downloading a simple utility app, which is in actuality a malware application,” LaSala said. “What is concerning is that this malware app can download other applications, so even though today’s attack is against PayPal, this attack could easily be repurposed to attack any other application on the users mobile device.”

Researchers cited the following additional capabilities and threats in the malicious code:

• SMS messaging: The malware can initiate, intercept and delete SMS messages. It can also change the default SMS app to one that bypasses 2-factor authentication.

• Contact list: appropriate an Android device user’s contact directory

• Phone calls: initiate and forward calls

• Installed apps: access a complete directory of installed apps and run them.

• Socket communication: initiate socket communication sessions

• Phone lock: ESET researchers also the malware code is provisioned to lock Android phones and directing victims to send an email to a specified address to get their phones unlocked. It remains to be seen if attackers are planning to extort money from victims or if this is a ploy to buy more time while malicious acts run invisibly in the background, researchers stated.

Accessibility permissions

ESET researchers noted that the authors of the PayPal-targeting attack exploited accessibility permission levels to obtain control of Android devices. Sam Bakken, senior product marketing manager at OneSpan, said accessibility permission levels can be extremely powerful, especially when they get into the wrong hands.

“[W]hen we download an app, we need to think hard about whether there's actually good reason to grant an app the permissions it asks for, and really, to be safest we should default to not granting those permissions even if it means you can't use that particular app,” Bakken said.

LaSala agreed, advising consumers to examine permission levels when installing third-party applications. “Permissions are not always clear cut, and if a user is questioning a permission it is better not to allow the permission and ask the developer for more information before allowing it,” he explained. “Open communication with the app developer and full clear understanding of how an app works are key objectives to any app developer for their users.”

Application shielding

Bakken advises consumers to fully vet apps, patronize official app stores and read consumer reviews, “especially the negative reviews, as miscreants are known to create fake positive reviews of their apps in order to hook more victims,” he said.

Both Bakken and LaSala would like to see mobile application developers and publishers use app shielding technology that can detect and shut down malicious behaviors, stopping mobile app fraud before it takes place.

“Solutions such as mobile application shielding prevent screen overlay attacks and can render this type of attack useless,” LaSala added. “Additionally, application providers should use application repackage prevention technologies and only publish their application on official app stores, as this will further strengthen the bond for their users and encourage them to also only get their applications from the trusted app stores.”

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.