Occasionally some trojans have been found on Android, but this is probably one of the worst. This new threat automates a $ 1000 PayPal transaction and sends it using the official PayPal application itself, even to two-point checking accounts (2FA).
This is done using different, up to date methods and utilizing Android accessibility services. The trojan is currently disguising itself as an Android optimization tool called Android Optimization and has reached out to users' phones through third-party stores. Apart from the official Play store there are also third party stores so beginner advice: do not use third-party stores. Use only Play Store.
When you install the “Optimization Android” program, a service called “Enable statistics” is created. Of course this service requests access to track user actions and retrieve it content of the windows.
But somewhere things get worse as the Trojan horse can imitate alerts. Creates a notice that looks like these PayPal that pushes the user to connect.
When you tap the notification, it opens the official PayPal app (if installed) and asks the user to sign in. As long as it is a legitimate endeavor connectionς στην επίσημη εφαρμογή της Paypal το 2FA δεν κάνει τίποτα για να εξασφαλίσει τον account you, in addition to sending you an additional code which when you insert it you will log in normally.
Once logged in, the malicious application takes over the transfer of $ 1000 from your PayPal account to the attacker. This automated process occurs in less than five seconds. ESET made a video of the whole process and it is very crazy how fast the whole process is done:
Once you realize what's going on, it's too late to stop it. The only thing stopping the process is that maybe your PayPal balance is too low and you haven't added any other funding methods. So, Paypal simply cancels the transaction due to lack of funds. Otherwise, you should realize it within a weekteamand make a "transaction rejection" to Paypal, asking them to investigate and cancel the transaction, a process that takes at least 1 month.
But it does not end there. Not only does this trojan attack a user's PayPal account, but it also uses Android Screen Overlay to place illegal login screens on legitimate applications.
The trojan displays HTML overlays on Google Play, WhatsApp, Skype, and Viber, and then uses them to remove the credit card details. It can also create an overlay in Gmail by stealing user login credentials.
While the overlay attack is currently limited to the aforementioned applications, the list could be updated at any time, meaning that this type of attack can be extended at any point to steal any type informations that the attacker wants. ESET's We Live Security service emphasizes that the attacker could explore other options by using the overlay