Security researchers at Slovakia’s ESET have identified a new banking Trojan that bypasses PayPal’s two-factor authentication (2FA) to steal funds – waiting until users have fully logged in before enabling its exploit.
The multifaceted malware also has a secondary function, downloading HTML-based phishing overlay screens for five apps – Google Play, WhatsApp, Skype, Viber, and Gmail – an initial list that can be dynamically updated.
ESET discovered the malicious software in November. It masquerades as an Android battery optimisation application in third-party app marketplaces. Once a user downloads the battery application and launches it on their device the app terminates itself, offering no visible functions and proceeds to hide its icon.
While hidden the application carries out its two main functions. The first is the targeting of the PayPal application, if it is installed on the victim’s device.
The malicious application asks the user to give permission to ‘enable statistics’, which it says allows the user to retrieve windowed content and lets them receive notifications when they are using the app.
If the user has the official PayPal app installed the Trojan will display a notification alert asking them to open it.
ESET researcher Lukas Stefanko commented in a security blog that: “During our analysis, the app attempted to transfer 1000 euros, however, the currency used depends on the user’s location. The whole process takes about 5 seconds, and for an unsuspecting user, there is no feasible way to intervene in time.”
Banking Trojan: Nasty Tricks
The real concern for PayPal customers is that the malicious application bypasses the PayPal two-factor authentication completely. The malware does not steal your PayPal login credentials, instead it waits for you to enter into the application itself before it attempts to redirect money to a different PayPal account.
Lukas Stefanko informed Computer Business Review that: “It automatically tries to send money to the account once the victim logs in. It interacts faster with the PayPal app than the user, so the user doesn’t even have a chance to click on anything to intervene.”
“The attackers fail only if the user has insufficient PayPal balance and no payment card connected to the account. The malicious Accessibility service is activated every time the PayPal app is launched, meaning the attack could take place multiple times,” he added in a blog.
With its secondary phishing function it attempts to scrape credit card details. The first four app overlays are designed to phish for these, as seen in the images below.
However the Gmail overlay is different: “We suspect this is connected to the PayPal-targeting functionality, as PayPal sends email notifications for each completed transaction. With access to the victim’s Gmail account, the attackers could delete such emails to remain unnoticed longer.”
ESET security have informed PayPal about the new Trojan technique they have discovered targeting their application.