{"id":2027,"date":"2018-12-17T04:58:32","date_gmt":"2018-12-17T04:58:32","guid":{"rendered":"https:\/\/www.positivenewstrends.com\/?p=2027"},"modified":"2019-04-11T09:28:36","modified_gmt":"2019-04-11T09:28:36","slug":"android-trojan-deceives-two-face-authentication-of-paypal-accounts","status":"publish","type":"post","link":"https:\/\/www.positivenewstrends.com\/news\/android-trojan-deceives-two-face-authentication-of-paypal-accounts\/","title":{"rendered":"Android Trojan Deceives Two Face Authentication of PayPal accounts"},"content":{"rendered":"

Android optimizing apps are often deemed as smart, ambitious & high performing tools. Optimization tools are deployed on smart phones to improve device performance & eliminate storage issues. Hence, make the device more responsive & primed for any situation.<\/p>\n

Reckoning the merits & popularity of android optimizing tools, manipulators pioneered a malware masquerading as a battery optimization tool to yank user\u2019s chain.\"Android<\/p>\n

The nasty Trojan is distributed via third party app stores & not the official Google play Store. Users of official PayPal app act as a sitting duck for this gusty Trojan.<\/p>\n

Threat Behavior of the Android Trojan<\/strong><\/h1>\n

Once the rogue application is launched, it encounters you with an endless array of negatives. Its threat behavior can be categorized in two major parts.<\/p>\n

Misuse of Android Accessibility Service to drain money from official PayPal App<\/strong><\/h2>\n

\u00a0<\/strong>During installation, the deceptive app requests access to Android\u2019s accessibility permission<\/strong> to build a strong base. This request is presented to the user via Enable statistics<\/strong> service that appears unimpeachable.<\/p>\n

If the user agrees to provide the app access to this utmost dangerous feature, it empowers the malevolent app to emulate taps & OS interactions.<\/p>\n

The compromised device that has PayPal app installed lands in a pickle. The malware displays a notification alert prompting users to launch PayPal app. Once user logs in PayPal app<\/strong>, the Trojan abuses the Accessibility service<\/strong> to mimic screen taps to transfer money to attacker\u2019s PayPal account.<\/p>\n

The whole process takes around 5 seconds which leaves no feasible way for unsuspecting user to intervene. The process includes:<\/p>\n

    \n
  1. Opening a new PayPal transfer<\/strong><\/li>\n
  2. Entering receiver’s PayPal account details,<\/strong>\"Entering<\/li>\n
  3. Entering the sum to be transferred<\/strong>\"Entering<\/li>\n
  4. Approving the transaction<\/strong><\/li>\n<\/ol>\n

    The Trojan is coded such that the automated transaction takes place each time the user accesses their PayPal account.<\/p>\n

    Since the malicious script relies on users to log into the official payment app rather than stealing login credentials, those who have secured their PayPal app with two-factor authentication (2FA), are equally vulnerable as those not using 2FA.<\/p>\n

    Insufficient PayPal balance or no payment card connections to the account are the only two ways to fail the malign script.<\/p>\n

    Overlaying the screen of Legitimate apps with Phishing Screen<\/strong><\/h2>\n

    ESET security researcher Stefanko<\/a>, who broke down this new Trojan\u2019s features also reveled it\u2019s other characteristic.<\/p>\n

    Besides the PayPal theft functionality, the malware is also scripted to leverage the popularity of some widely used legitimate app to overlay them with fishing screens to steal credit card details & login credentials.<\/p>\n

    The apps that are abused include:<\/p>\n

      \n
    1. WhatsApp<\/strong><\/li>\n
    2. Viber<\/strong><\/li>\n
    3. Google Play<\/strong><\/li>\n
    4. Skype<\/strong><\/li>\n
    5. Gmail<\/strong><\/li>\n<\/ol>\n

      Malicious overlay screens for Google Play, WhatsApp, Viber and Skype, request for credit card details. Pernicious overlay for Gmail seeks for Gmail credentials.\"Overlaying<\/p>\n

      Other malefic overlay screens targeting few legitimate banking apps have also been detected. To prevent users from removing the overlay screen by pressing the back button or home buttons, the Trojan is cleverly scripted to display the phishing screen in lock foreground screen.<\/p>\n

      To get rid of the malicious overlay screen enter invalid data as wrong inputs make these screens disappear.<\/p>\n

      Other malevolent acts of this Android Malware <\/strong><\/h1>\n

      The malware is also capable of performing following menacing acts:<\/p>\n