A new Android trojan hidden in a battery optimizer can steal money from users' PayPal accounts, ESET has revealed today, even from those protected by two-factor authentication.
Fortunately, the malware, called Optimizer Battery, is currently available only through third party app stores, and not through the official Play Store, which means that very few people have had phones infected with this threat until now .
Despite this, this app should be considered incredibly dangerous. The reason is that it has an automated system that initiates PayPal money transfers right under the user's nose without giving the victim a chance to stop the illegal transaction.
This is because the app requests access to Android "Accessibility" permission, a very dangerous feature that allows an app to automate display cranes and OS interactions.
But the strange thing is that when the malicious app accesses this permission, it does not use it right away. The app and the built-in trojan remain silent until the user opens the PayPal app alone or follows a misleading alert triggered by the Trojan.
After the user opened the official PayPal app, the Trojan waits for more. This time, the user is waiting for the user to log in, enter his two-factor authentication code, and then only then starts the malicious behavior.
Theft of PayPal funds takes place in less than five seconds
ESET, the cyber security company that discovered this trojan after a detection on one of its customer devices, said the trojan abuses the accessibility service to mimic the display cranes.
These cranes open a new PayPal transfer, enter recipient's PayPal account, the sum
"The whole process takes about 5 seconds, and for an unsuspecting user there is no way to intervene in time," said ESET Malware analyst Lukas Stefanko today.
By default, the trojan will attempt to steal 1
Due to the way the trojan is encrypted, this automated transaction occurs every time the user accesses the PayPal app. The only time it fails is when the user runs out of money or does not have money in his PayPal account.
The YouTube video built-in below shows how fast the entire process takes place and how little PayPal transaction confirmations remain on screen, looks like an app glitch. Although some users can guess what just happened, many less technical users can not understand what all the flashing screens meant, and may not be unaware of days or weeks that they have lost money from their account.
In addition to PayPal theft functionality, Stefanko, who broke down this new Trojan feature in a report published today, says the trojan can also:
- Show overlays when starting other apps that trick the user to hand over card details (Google Play, WhatsApp, Viber, and Skype)
- Show an overlay when you start the Gmail app collecting login information from Google
- View login transfers to phish credentials for different mobile banking apps
- Unsubscribe and send SMS messages; delete all text messages; change the default SMS app (to bypass SMS-based two-factor authentication)
- Get the contact list
- Create and forward calls
- Get the list of installed apps
- Install the app, run the installed app
- ] Start the docking  Most of these features are made possible because the malicious app is provided according to the Android Availability Service.
This permission is how many Android malware strains are operating today, and this permission has been abused for many years. Users should take good care of approving the app's access to this highly dangerous service, especially one they have installed from an unofficial source.
Stefanko said ESET notified PayPal about this app and asked the company to block the malware writer's PayPal account. PayPal users who believe that they may have been affected by this app may request a refund of transaction through the PayPal Resolution Center.
More web browsing news: