A new piece of malware for Android devices is programmed to send 1,000 euros to cyberthieves via PayPal in around 5 seconds—all without the user being able to stop it.
Cybersecurity firm ESET discovered this new malware in November, and published details about it on Tuesday. The malware is disguised as a battery optimization app—called Android Optimization—and is distributed by third party app stores (so it’s not in the official Google Play store.) The malware isn’t just a run of the mill banking trojan, it smartly takes advantage of Google’s Accessibility Services, which are designed to help people with disabilities, to trick users into giving criminals some control of the phone.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Once installed, the malware asks the user for permission to “Enable Statistics.” This innocent sounding function actually allows the malware, and its creators, to receive notifications when the user is interacting with certain apps, and inspect the content of the window they’re interacting with. In other words, this allows the cybercriminals to take control of the phone remotely when the user opens certain apps. In this case: PayPal, Google Play, WhatsApp, Skype, Viber, Gmail, and some banking apps.
The malware’s most dangerous function gets activated when users open the PayPal app. At that point, if they fell for the “Enable Statistics” trick, the malware takes over and sends out payments to the criminals. This works even if the user has two-factor authentication enabled, because the malware just waits for the user to be logged in, as the below video made by ESET shows.
“The whole process takes about 5 seconds, and for an unsuspecting user, there is no feasible way to intervene in time,” ESET researcher Lukas Stefanenko wrote in a blog post. “The attackers fail only if the user has insufficient PayPal balance and no payment card connected to the account. The malicious Accessibility service is activated every time the PayPal app is launched, meaning the attack could take place multiple times.”
Stefanenko and ESET researchers also found that the malware can show users overlay phishing pages crafted to look like legitimate banking apps, or other popular apps such as Gmail, WhatsApp, Skype and Viber, asking users for credit card credentials.
As usual, do not trust apps that are not on Google Play unless you really know what you’re doing and where the app comes from, and who their developers are. There’s no telling that that innocuous-looking app that promises to improve your Android’s phone faulty battery won’t steal your money.
Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.