A new TROIAN for ADROID who steals money using PayPal

admin/ January 10, 2019/ Blog

A new Trojan virus has been reported that affects users of Android smartphones. It is masked as a device battery optimizer. Once installed, the Malware is stealing money from your phone’s PayPal account, but it also uses phishing windows displayed over legitimate applications such as Google Play, WhatsApp, Skype, Viber, and Gmail which displays forms that will require bank card details.

The Malware, masked as another application, after installation, will display an icon on your phone screen. After the launch, the malicious app closes automatically and erases the icon from the phone without giving any error or any other kind of message. From this moment she becomes active on the phone.

As for the PayPal account, if the user of the phone already has the PayPal application installed, the Malware will display a false notification from PayPal requesting the user to open the PayPal application to read the notification. After the opening of PayPal user application, the malware that is already active on the phone starts his business and pays money to the attacker’s PayPal account. Everything is extremely fast, so the user can not intervene on time, especially if he does not even suspect there is such an attack. Malware manages to trick the PayPal login system because it’s all happening on the phone of the user who has the PayPal application installed, the application is opened by the user and login by the user himself. Moreover, the attack will repeat each time the user opens the PayPal application on the infected phone, so the loss will increase. The attack will fail only if the PayPal user has insufficient balance on his account, or has no bank card associated with the PayPal account.

The video below demonstrates the whole process of stealing.

The other function malware is to use phishing windows displayed over the legitimate applications like Google Play, WhatsApp, Skype, Viber, and Gmail – HTML-stacked windows. In these false windows will appear forms asking for data about the user’s bank card. These overlapping phishing windows are displayed in the main screen without using the BACK or HOME buttons to close them, the only possibility being to fill in the fake form displayed and send it. One of the advantages, if we can call it that, is that the blank form can also be sent, so the phishing window disappears from the phone screen. However, this will only be a timely solution because the malware is still active on the phone and will then re-create these windows.

In addition to the two basic functions described above, and depending on the commands received from the attacker, malware can also perform other actions like:

  • install and launch other applications;
  • to intercept and send SMS messages, to change the default SMS application, to fool two-factor authentication based on SMS;
  • to obtain the user’s contact list;
  • to make calls from the user’s phone.

This malware uses the phone’s accessibility services to prevent attempts to uninstall or install antivirus applications. At this point, the safest way to get rid of this trojan is to completely reset the phone without the option of automatically reinstalling used applications or restoring backups.

For those affected by this or similar Trojan, I recommend that, in addition to the full reset of your phone, you can change all the passwords for applications that have assigned a bank card – PayPal, Internet Banking, Gmail, etc.

To prevent such infections in the future, I recommend:

  • downloading and installing apps only from the official Google Play store or from official phone makers such as Samsung APP, Huawei App, etc .;
  • Mandatory verification of the permissions required by that application;
  • reading reviews for that app because these reviews can contain a lot of information;
  • Upgrade your Android operating system up-to-date;
  • using a mobile security application (PRO versions, not FREE or TRIAL versions).

Of course, must not forget nor the fact that any notification received, in any form, should be analyzed as soon as possible. Attackers particularly rely on the fact that the victim-user does not pay proper attention to the displayed notice, does not fully read the displayed message, or considering not at all such a message.

One of the applications that have been successfully used on Android-powered phones and can protect you in many cases from such attacks is ESET Mobile Security, a downloadable application from the Google Play store. You can buy the license directly from Google Play or if you not have allocated a bank card to your Google Account, please contact us to order directly from us.

Share this Post