Of the different phones available, android phones clearly are targeted more often, due to many reasons. These malware examples are regularly detected and reverse engineered. One of the recent examples focused on stealing the user’s PayPal funds.
This latest excursion into malware was discovered in November 2018 by ESET. The malware is presented as a battery enhancement application. This naturally would attract people to download the app, as most want longer battery length. The app itself is titled Android Optimization. In theory, the app would optimize the device’s battery life. This actually was coded to steal $1k euros in 5 seconds through PayPal. What makes this interesting, other than the coding, is this was being circulated by third parties. Although this appears to be mildly novel, this does allow the application to bypass the Google Play Store and the associated checks on the app and code.
The malware sample was coded to exploit Google’s Accessibility Services. The Accessibility Services generally are used to assist those with disabilities. This instead lures the users to give the attackers control over a portion of the phone. The overt control takes place when the user opens specific applications. These applications primarily are PayPal, Google Play, WhatsApp, Skype, Gmail, and a few other banking apps. This uses two functions to attack the user. The first is a pop-up window, which activates the malicious app. The second is a phishing window placed over legit apps to phish for credit card details and gmail login credentials.
The interesting part is, with the overlay, these are displayed in the lock foreground screen. The user can’t remove it with the home or back buttons. The only way to remove this is to enter the username and password. Fortunately this accepts whatever the user enters. The user could enter completely false data and still use the phone. The attack fails only when there is not the $1k balance in the PayPal account and no credit card is attached to the account. The malware is activated whenever the PayPal app is opened.
A majority of the malware in the environment works to steal credentials, which are used in the various forms at a later point. This malware on the other hand does ot focus on this, but simply waits in the background for the user to do the work and log into PayPal. This is coupled with the phishing function.
There are also different variants to this. This may be coded to intercept and send SMS messages, delete SMS messages, and change the SMS application, secure the user’s contact list, make and forward calls, secure the list of installed apps, and install and run apps.
EHacking News. (2018, December 13). Android malware steals 1,000 euros in around 5 seconds via paypal. Retrieved from http://www.ehackingnews.com/2018/12/android-malware-steals-1000-euros-in.html
The Paypers. (2018, December 29). Android malware steals money fast via paypal. Retrieved from https://www.thepaypers.com/digital-identity-security-online-fraud/android-malware-steals-money-fast-paypal/776413-26
We Live Security. (2018, December 11). Android trojan steals money from paypal accounts even with 2FA. Retrieved from https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!