An Android Malware Can Steal Money From PayPal Account

ESET, a company that provides IT security solutions, has discovered a malware that can transfer money from Paypal without user’s permission even if their 2FA is on. This malicious software hides inside a battery optimization app.

The video below shows how this process works:

The good news here is this app is unavailable on the Play Store but is distributed through a third-party app store, which means not many people have fallen under the threat of the malware.

However, you should not put down your guards just yet. This app contains a system that can initiate money transfer without user’s notice, and when they do, it is often too late.

The malware is able to do this by asking for permission to access Android Accessibility. It is then able to automate OS interactions and screen taps.

Once it gains the access, the system does not transfer any money right away. Both the trojan and the app remain silent until the user logs into the PayPal app. It waits until the user does this on his own or sends a fake notification to trick users into opening the app.

Its next step is to wait for the user to type his 2FA code and then it starts taking action.

ESET found out about this malware through the device from one of its customers because the malicious software takes advantage of the Android Accessibility to imitate screen taps.

A new PayPal transfer is initiated; next, the PayPal account of the receiver and a sum of money are entered. Finally, the Trojan approves the transfer.

According to Lukas Stefanko, ESET malware analyst, this whole malicious process takes under 5 seconds. If the users do not suspect and take action in time, there is no way they can prevent being stolen from. The default number the Trojan takes is 1000 units in Paypal account currency. In the case of ESET, the sum is €1,000.

The malware is programmed to steal every time the user opens their PayPal app. However, if the user’s account does not have any money left or is empty, it cannot perform its wicked trick.

By abusing the Accessibility, the Trojan can also obtain user’s contact list, steal card details and Google account as well as mobile banking app’s credentials.

PayPal has been notified about this matter, and victims of this app can ask for transaction reversal.