View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 12, 2018

New Trojan Targets PayPal App

The malware also overlays HTML-based phishing screens for five apps

By CBR Staff Writer

Security researchers at Slovakia’s ESET have identified a new banking Trojan that bypasses PayPal’s two-factor authentication (2FA) to steal funds – waiting until users have fully logged in before enabling its exploit.

The multifaceted malware also has a secondary function, downloading HTML-based phishing overlay screens for five apps – Google Play, WhatsApp, Skype, Viber, and Gmail – an initial list that can be dynamically updated.

ESET discovered the malicious software in November. It masquerades as an Android battery optimisation application in third-party app marketplaces. Once a user downloads the battery application and launches it on their device the app terminates itself, offering no visible functions and proceeds to hide its icon.

While hidden the application carries out its two main functions. The first is the targeting of the PayPal application, if it is installed on the victim’s device.

The malicious application asks the user to give permission to ‘enable statistics’, which it says allows the user to retrieve windowed content and lets them receive notifications when they are using the app.

If the user has the official PayPal app installed the Trojan will display a notification alert asking them to open it.

ESET researcher Lukas Stefanko commented in a security blog that: “During our analysis, the app attempted to transfer 1000 euros, however, the currency used depends on the user’s location. The whole process takes about 5 seconds, and for an unsuspecting user, there is no feasible way to intervene in time.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Banking Trojan: Nasty Tricks

The real concern for PayPal customers is that the malicious application bypasses the PayPal two-factor authentication completely. The malware does not steal your PayPal login credentials, instead it waits for you to enter into the application itself before it attempts to redirect money to a different PayPal account.

Lukas Stefanko informed Computer Business Review that: “It automatically tries to send money to the account once the victim logs in. It interacts faster with the PayPal app than the user, so the user doesn’t even have a chance to click on anything to intervene.”

“The attackers fail only if the user has insufficient PayPal balance and no payment card connected to the account. The malicious Accessibility service is activated every time the PayPal app is launched, meaning the attack could take place multiple times,” he added in a blog.

With its secondary phishing function it attempts to scrape credit card details. The first four app overlays are designed to phish for these, as seen in the images below.

Android Banking Trojan

Image Source: ESET

However the Gmail overlay is different: “We suspect this is connected to the PayPal-targeting functionality, as PayPal sends email notifications for each completed transaction. With access to the victim’s Gmail account, the attackers could delete such emails to remain unnoticed longer.”

ESET security have informed PayPal about the new Trojan technique they have discovered targeting their application.

See Also: EU Cybersecurity Act Agreed – “Traffic Light” Labelling Creeps Closer

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.