Friday, December 14, 2018
In a blog post titled “Android Trojan steals money from PayPal accounts, even with 2FA on,” researchers observed that four of the five overlays phish for credit card details. They speculate the Gmail overlay is being used to identify PayPal email notifications, adding, “With access to the victim’s Gmail account, the attackers could delete such emails to remain unnoticed longer.”
Will LaSala, director of security solutions and security evangelist at OneSpan, observed that unlike typical malware strains, the new scheme appears to transfer money from PayPal to the attacker’s account. This underscores the risk of installing apps from unknown sources and the ease with which overlay attacks can hijack a strong application, he stated.
“This starts with the user being tricked into downloading a simple utility app, which is in actuality a malware application,” LaSala said. “What is concerning is that this malware app can download other applications, so even though today’s attack is against PayPal, this attack could easily be repurposed to attack any other application on the users mobile device.”
Researchers cited the following additional capabilities and threats in the malicious code:
ESET researchers noted that the authors of the PayPal-targeting attack exploited accessibility permission levels to obtain control of Android devices. Sam Bakken, senior product marketing manager at OneSpan, said accessibility permission levels can be extremely powerful, especially when they get into the wrong hands.
“[W]hen we download an app, we need to think hard about whether there's actually good reason to grant an app the permissions it asks for, and really, to be safest we should default to not granting those permissions even if it means you can't use that particular app,” Bakken said.
LaSala agreed, advising consumers to examine permission levels when installing third-party applications. “Permissions are not always clear cut, and if a user is questioning a permission it is better not to allow the permission and ask the developer for more information before allowing it,” he explained. “Open communication with the app developer and full clear understanding of how an app works are key objectives to any app developer for their users.”
Bakken advises consumers to fully vet apps, patronize official app stores and read consumer reviews, “especially the negative reviews, as miscreants are known to create fake positive reviews of their apps in order to hook more victims,” he said.
Both Bakken and LaSala would like to see mobile application developers and publishers use app shielding technology that can detect and shut down malicious behaviors, stopping mobile app fraud before it takes place.
“Solutions such as mobile application shielding prevent screen overlay attacks and can render this type of attack useless,” LaSala added. “Additionally, application providers should use application repackage prevention technologies and only publish their application on official app stores, as this will further strengthen the bond for their users and encourage them to also only get their applications from the trusted app stores.”
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.