Never Download Apps from 3rd Party App Stores: New Paypal Trojan
Since 2008, Google has been warning the public to only source their apps from the official Google Play Store and not from 3rd party unknown app suppliers. Cybersecurity issues with an Android device mostly come from the persistence of users to sideload apps downloaded from dodgy websites. This was what exactly what happened with the discovery of a very nasty Android-based trojan that targets PayPal users. Apps pretending to be an official PayPal login page, enticing the users to enter their genuine Paypal credentials, enabling the trojan’s authors to steal the it for their own purposes.
The trojan also targets other online services, not just Paypal. Upon careful examination of the trojan’s behavior, ESET confirmed that it can also mimic the login pages of the following web services: Viber, Gmail, WhatsApp and Google Play. Hence, maximizing the chance, the user will fall for this phishing attempts made by the authors.
“We’ve also seen overlay screens for legitimate banking apps requesting login credentials to victims’ internet banking accounts. Unlike overlays used by most Android banking Trojans, these are displayed in lock foreground screen – a technique also used by Android ransomware. This prevents the victims from removing the overlay by tapping the back button or the home button. The only way to get past this overlay screen is to fill out the bogus form, but fortunately, even random, invalid inputs make these screens disappear,” explained Lukas Stefanko, ESET’s Malware Researcher.
Google Play Store hosts over 2 million apps, and some apps are similar to one another, like flashlight apps or reminder apps. With that number of available apps and installed base of at least a billion unique Android installs per month, the law of very large numbers comes into play. With the trojan discovered by ESET, it needs the full cooperation of the user for it to even get a hold of the system and steal user login credentials. This is because the app where the trojan resides requires a specific Accessibility permission which is denied by Android by default. It can only be enabled by the user, through the Accessibility settings menu.
“During our analysis, the app attempted to transfer 1000 euros, however, the currency used depends on the user’s location. Because the malware does not rely on stealing PayPal login credentials and instead waits for users to log into the official PayPal app themselves, it also bypasses PayPal’s two-factor authentication (2FA). Users with 2FA enabled simply complete one extra step as part of logging in, – as they normally would – but end up being just as vulnerable to this Trojan’s attack as those not using 2FA,” added Stefanko.
ESET got a hold of the trojan sample from a run-of-a-mill battery app from a 3rd party app store. But this doesn’t mean that the Play Store also do not host a similar trojanized app, as the search giant already had a history of taking down malicious apps from it. At the moment, ESET has not seen any reason to panic, as the sample app was targeting Brazillian Android users and not yet proliferated globally speaking.