A new string of malware has been spotted by security firm ESET infecting Android handsets that and stealing money directly from PayPal. The software disguises itself as a utility app — a battery optimizer for the time being — and effectively uses a PayPal session started by the user rather than stealing credentials or attempting a brute force attack its way past security measures. It accomplishes that using Android’s accessibility features and that means it can effectively bypass two-factor authentication (2FA). The app starts by asking users to turn on an ‘Enable statistics’ service posing as a means to collect battery data for analysis. It then scans for the PayPal application and activates a prompt to sign in, if that app is installed. Signing in while the accessibility service is active lets the trojan take over and click through the steps to transfer money to another PayPal address. The ‘service’ then launches again every time the PayPal app is opened by the user.
That entire attack is said to take around 5 seconds from start to finish, leaving the user with very little time to put an end to the process. In most cases, that’s not going to be enough time to prevent the theft and the only default failure to transfer funds occurs when the PayPal balance is insufficient to cover the transaction and there’s no fallback payment method set up. Secondary to that initial attack vector, the app will also use overlay screens to phish for a users credit card credentials and Google login details. Summarily, it downloads the HTML-based overlays, with the current list of overlays including Google Play, WhatsApp, Skype, Viber, and Gmail, asking users to input their card information or log into Google. Banking application overlays have also appeared, requesting login credentials for those accounts.
For the second attack vector, a locked screen is instantiated for the overlay to prevent navigation away from the screen using Android’s back, home, or recent apps button. The app doesn’t verify the accuracy of information, allowing users to escape that by simply inputting completely false information. So there isn’t much threat if users are aware that the login or credit card input being displayed is illegitimate. However, the app can also send or intercept messages, delete those, or change the default app to bypass text-based 2FA, in addition to having access to a device’s contacts list, calling capabilities, and socket communication. A list of installed apps and the ability to install and run applications are also part of the package, possibly allowing further attack vectors in the future.
Background: Malware on mobile devices is not exceedingly uncommon and reports have cropped up with some frequency over the past several months as a result. Generally, those tend to focus on a single attack vector or at very least an individual type of attack. Some recent examples of that include ‘TimpDoor’, ‘VPNFilter’, and ‘RedDrop’. Noted by researchers from various organizations over the past year, each of these essentially specializes in a particular pattern of attack. TimpDoor, for example, utilizes SMS-based phishing in an attempt to create a backdoor into the networks a handset is operating on. The focus is on ensuring a direct line of communication between the user’s device and servers that log and collect network traffic data — potentially compromising every connected smartphone by compromising the network itself. RedDrop and VPNFilter, conversely, focus on hijacking or holding a device hostage in order to steal either money or credentials.
The primary differentiator between those and this new attack is its attempt to both steal credentials and money by entirely separate means — phishing and a more direct override of device controls. The unnamed trojan goes a step further by attempting to steal Gmail credentials, deleting its own icon, and taking other steps in an attempt to deter detection and hide or erase its activity. According to an analysis performed on the malware, the researchers at ESET say that isn’t all the app is doing, either. Strings within the code indicate that the bad actors behind it have been exploring new ways to use the locked overlays either as a cover-up for background activity or with new messages attempting to extort money from victims. The latter of those would basically be more the same but covering up for circumvented device control could make the attacks much worse.
A locked overlay would prevent the user from seeing activity. For example, the app might use their most recent app login to transfer funds and then navigate to remove all notifications, emails, or another user-alerting history entirely. It could take that one step further and spread itself using that method too or undertake any number of other malicious tasks without the user’s consent or knowledge. Thanks to its ability to scan installed applications, it could be programmed to perform just about any associated task, leaving the victim completely unable to regain control either until those are finished or until the device is turned back on.
Impact: The attack spotted by ESET has an added malicious behavior that makes dealing with it more difficult. It attempts to trick users into thinking it has been uninstalled by displaying a screen claiming that it has crashed when users launch it. It continues running in the background and goes a step further to delete its own icon from the UI. For now, the trojan application is only available on third-party app stores, meaning that it hasn’t yet found its way onto the Google Play Store. The security features Google has been building into its app market are likely behind that and users should avoid downloading apps from other sources wherever possible. In cases where apps need to be sideloaded, users should take the time to thoroughly research software before installing it on their handset and ensure that it comes from a trusted source.
