Occasionally some trojans have been found on Android, but this is probably one of the worst. This new threat automates a $ 1000 PayPal transaction and sends it using the official PayPal application itself, even to two-point checking accounts (2FA).
This is done using different, up to now methods and making use of them services Android accessibility. The trojan currently disguises itself as an Android optimization tool called Android Optimization and has reached users' phones through third-party stores. In addition to the official Play store, there are also third-party stores, so advice for beginners: do not use third-party stores. Use only Play Store.
When you install the "Optimization Android" program, a service called "Enable statistics" is created. Of course this service requests access to monitor users' actions and retrieve the contents of windows.
But somewhere in there things start to get worse as the Trojan horse can mimic notifications. Creates a notice which looks like those PayPal prompts the user to login.
When you tap the notification, it opens the official PayPal application (if installed) and asks the user to log in. Since it is a legitimate attempt to link to the official Paypal application, 2FA does nothing to secure your account, in addition to sending you an extra code that you will normally log in when you place it.
Once logged in, the malicious application takes over the transfer of $ 1000 from your PayPal account to the attacker. This automated process occurs in less than five seconds. ESET made a video of the whole process and it is very crazy how fast the whole process is done:
Once you understand what is happening, it is too late to stop. The only thing that stops the process is that maybe your balance on PayPal is too low and you have not added other funding methods. So, Paypal simply cancels the transaction due to lack of money. Otherwise, you should find out within a week and make a "non-acceptance transaction" on Paypal, asking it to investigate and cancel the transaction, a process that takes at least 1 month.
But it doesn't end there. Not only does this trojan attack the user's PayPal account, it also uses Android's Screen Overlay feature to overlay illegal login screens over legitimate ones. applications.
The trojan displays HTML overlays on Google Play, WhatsApp, Skype, and Viber, and then uses them to remove the credit card details. It can also create an overlay in Gmail by stealing user login credentials.
While the overlay attack is currently limited to the aforementioned applications, the list could be updated at any time, meaning that this type of attack can be extended at any point to steal any type informations that the attacker wants. ESET's We Live Security service emphasizes that the attacker could explore other options by using the overlay
