Android Trojan steals money from PayPal accounts even with 2FA on
ESET researchers discovered a new Android Trojan using a novel Accessibility-abusing technique that targets the official PayPal app.
On the implications for end users, Sam Bakken, Senior Product Marketing Manager, OneSpan:
It’s time for all of us to be more scrupulous when it comes to the apps that we install and the permissions we grant them. Accessibility permissions are incredibly powerful and can lead to malware taking action on your behalf inside your apps which is what occurred in this case. Though it’s not a cure-all (after all banking Trojans make it onto official stores as well), it’s best to stick with official app stores. In addition, before you download the app, make sure you’re taking time to read reviews — especially the negative reviews as miscreants are known to create fake positive reviews of their apps in order to hook more victims. Finally, when we download an app, we need to think hard about whether there’s actually good reason to grant an app the permissions it asks for, and really, to be safest we should default to not granting those permissions even if it means you can’t use that particular app. App developers and publishers can also offer some relief by using app shielding technology in their mobile apps to detect malicious behaviors and shut the targeted app down and stop fraud before it takes place.
On the developer’s perspective, Will LaSala, Director of Security Solutions, Security Evangelist, OneSpan:
“The newly released information regarding an attack against the PayPal app highlights the vulnerabilities of installing apps from unknown sources and how easily an overlay attack can hijack a strong application. This starts with the user being tricked into downloading a simple utility app, which is in actuality a malware application. What is concerning is that this malware app can download other applications, so even though today’s attack is against PayPal, this attack could easily be repurposed to attack any other application on the users mobile device. What’s new for this malware is that it is not focused on phishing for the users credentials, although it appears to attempt to phish for the user’s credit card information, instead it attempts to directly attack the transaction by creating an instant money transfer to the attacker’s account.
“Application providers need to offer protection against these types of attacks. Solutions such as mobile application shielding prevent screen overlay attacks and can render this type of attack useless. Additionally, application providers should use application repackage prevention technologies and only publish their application on official app stores, as this will further strengthen the bond for their users and encourage them to also only get their applications from the trusted app stores. Finally, applications should be implementing intelligent risk based step-up authentication. This allows the application to detect a fraudulent transaction and then automatically request that the user perform the correct type of authentication before the transaction is allowed to be completed. In this particular case, if intelligent risk based step-up authentication had been used, it is likely that the application would have flagged this transaction and would have asked the user for a fingerprint or facial authentication before allowing the transaction to continue.
“Consumers should be wary against installing any applications from any external sources and wary about the permissions they allow their applications to have. Permissions are not always clear cut, and if a user is questioning a permission it is better not to allow the permission and ask the developer for more information before allowing it. Open communication with the app developer and full clear understanding of how an app works are key objectives to any app developer for their users.”