Android has seen some bad Trojans, but this may be one of the worst. This new threat automates a $ 1,000 PayPal transaction and sends it using the official PayPal app ̵
The PayPal Hijack
Various methods are used to access Android's accessibility services. The malicious app currently disguises itself as an Android Optimizer and accesses users' phones through third-party app stores. Do not use third-party app stores.
During installation, "Optimization Android" (in an emergency, why would you even install something with such a name?) Also creates an accessibility service called "Enable statistics." Then, access to this feature is requested, which is harmless This may allow the app to monitor user actions and retrieve window content, and if you think it's all about making your phone faster, it makes almost sense.
But things get worse because the Trojan can effectively emulate touch, it generates a notification that looks like PayPal and prompts the user to log in.
When you tap it, this notification opens the official PayPal app (if installed) This is not a phishing attempt – the official app opens and prompts the user to log in. This is a legitimate logon If the attempt is within the official app, 2FA does not back up the account. Just log in as usual and enter your 2FA code when it arrives.  Once you're signed in, the malicious app takes over and transfers $ 1000 from your PayPal account to the attacker. This automated process takes less than five seconds. We Live Security have made a video about the whole process, and it's pretty crazy how fast that all happens:
If you realize what's going on, it's too late to start to stop it. The process will be stopped after startup only if the PayPal account balance is too low and there are no other financing methods. It breaks off by default. Otherwise you are on the way.
But that does not end it.
The Overlay Attack
This Trojan not only attacks the user's PayPal account, it also uses the screen overlay feature of Android to drop inappropriate login screens over legitimate apps.
The malware downloads HTML overlay screens for Google Play, WhatsApp, Skype, and Viber and uses them to phish credit card information. It can also create an overlay for a Gmail login that steals the user's credentials.
While the overlay attack is currently limited to the apps listed above, the list can be updated at any time so that this type of attack can be extended. Any point to basically steal any type of information the attacker wants. We Live Security emphasize that the attacker could explore other options for using the overlay:
According to our analysis, the authors of this Trojan have sought further uses for this screen overlay mechanism. The malware code contains strings claiming that the victim's phone has been barred from displaying child pornography, and can be unlocked by sending an email to a specified address. Such allegations are reminiscent of early mobile ransomware attacks in which victims were afraid to believe that their devices were being blocked for alleged police sanctions. It is unclear whether the attackers behind this Trojan want to extort money from victims or whether this functionality merely serves as protection for other malicious actions in the background.
Here's how we stay
For detailed information on preventing Android malware, see: TL: DR for more security:
- Only install apps from Google Play. Avoid third-party app stores, especially those that promise paid apps for free.
- Be careful with side loading. When loading an app sideways, make sure it's legitimate first.
- Do not install robbery apps. Seriously. It's not just crappy, it potentially opens up all kinds of malicious crap.
- Find. Even if you use Google Play, read and be aware of the reviews – the Play Store, while safer than most third-party stores, is not fully protected against malware.
RELATED: Malware prevention on Android
Source: We Live Security