Cybersecurity researchers from ESET recently discovered a new Android trojan that steals money from users’ PayPal accounts, even from those protected by 2FA.
The new Android trojan is distributed via a malicious app, called Optimization Battery. This app is currently only available through third-party app stores, and not through the official Play Store.
The Optimization Battery app should be considered incredibly dangerous. The reasons is that it features an automated system that initiates PayPal money transfers right from under the user’s nose, without giving the victim a chance to stop the transaction. During installation, the Optimization Battery app requests access to the Android “Accessibility” permission, a feature that allows an app to automate screen taps and OS interactions.
The Android trojan then stays silent on the device until the user opens the PayPal app. After the user opens the official PayPal app, the trojan waits for the user to log in, enter his two-factor authentication code, and then it starts its malicious behavior.
Steals your Paypal funds in less than 5 seconds
ESET, explains that the newly discovered Android trojan abuses the “Accessibility” service to mimic screen taps. These taps open a new PayPal transfer, enter the receiver’s PayPal account, the sum to be transfered, and then quickly approves it.
“The whole process takes about 5 seconds, and for an unsuspecting user, there is no way to intervene in time,” ESET malware analyst Lukas Stefanko said. By default, the trojan would attempt to steal 1,000 units of the user’s PayPal account currency.
Because of the way the trojan is created, this automated transaction happens every time the user accesses his or her PayPal app. The only time it fails is when the user runs out of money or doesn’t have any funds in the Paypal account.
The new Android trojan can also:
- Show overlays when starting other apps that trick the user into handing over his card details (Google Play, WhatsApp, Viber and Skype)
- Show an overlay when starting the Gmail app that collects Google login credentials
- Show login overlays to phish credentials for various mobile banking apps
- Intercept and send SMS messages; delete all SMS messages; change the default SMS app (to bypass SMS-based two-factor authentication)
- Obtain the contact list
- Make and forward calls
- Obtain the list of installed apps
- Install app, run installed app
- Start socket communication