New Android Trojan Targets PayPal Users

In November, researchers at security firm ESET discovered a new Android banking trojan that targets mobile users who have the official PayPal app installed. The malware masquerades as a battery optimization app called “Optimization Android,” available on third-party app stores. Upon launch, the app terminates itself and hides its icon. A prompt seeming to originate from Android’s Enable Statistics service asks the user to grant the app access to observe user actions and retrieve window content. The malware then displays an alert to open the PayPal app, and, within five seconds, mimics user interaction to swiftly transfer funds to the attacker’s PayPal account. This process initiates after the user is logged in, letting it bypass multi-factor authentication (MFA). Users who do not have enough funds for the transfer or have no card linked to their account will not be affected. Those that do, however, may fall victim to multiple attacks, as the malware’s malicious accessibility executes whenever PayPal does. The malware’s other functionality allows it to produce phishing overlays on apps like Google Play, WhatsApp, Skype, and Gmail in order to obtain user credentials and payment information. Other features include the ability to delete, send, and intercept SMS messages; forward and make calls; install apps; start socket communications; and obtain user contacts. The NJCCIC recommends Android users only install apps from the official app store, evaluate app ratings and reviews for legitimacy, run a mobile security solution, and be aware of the permissions you grant to apps. For those who installed the malicious app, restart your device in Safe Mode to uninstall the app. For more information on the malware, visit ESET’s blog post, and for further recommendations, visit our Android Malware threat profile.