Android malware steals money from PayPal accounts and bypasses two-factor authentication

• A new Android trojan can steal money from users' PayPal accounts.
• The Trojan waits until the user logs into his/her PayPal account and enters the two-factor authentication code before starting money transfers.

A new Android trojan, hidden inside a malicious app named ‘Optimization Battery’, can steal money from users' PayPal accounts. The Optimization Battery app is only available in third-party app stores and not via the official Google Play Store.

This malicious app initiates automated PayPal money transfers once the user enters his/her login credentials and the two-factor authentication code. According to security researchers at ESET, who discovered the new Android malware, during installation, the malicious app requests access to the Android "Accessibility" permission, which allows the app to automate screen taps and OS interactions.

Modus Operandi

Once the app gets access to admin permissions, it starts its malicious behavior.

• The malware remains inoperable until users open their PayPal accounts, either by themselves or following a misleading notification sent by the trojan.
• Once users open their PayPal accounts and log in, the Trojan waits until the two-factor authentication code is entered before starting money transfers.
• The trojan abuses the Accessibility permission and automates screen taps.
• These taps involve opening a new PayPal transfer, entering the receiver's PayPal account and the amount to be transferred, and then quickly approving it.

Because of the way the trojan is coded, this automated money transfer occurs every time users access their PayPal accounts. The transaction fails only when users run out of money.

"The whole process takes about 5 seconds, and for an unsuspecting user, there is no feasible way to intervene in time," said Lukas Stefanko, ESETmalware analyst.

ESET has notified PayPal about the malware’s activities and about the PayPal account used by the attacker(s) to receive stolen funds, Stefanko added.

The Android Accessibility permission has been abused by Android malware strains for years. Therefore, users should exercise great caution before providing any app with access. Users should also avoid installing apps from third-party app stores to remain safe from malware attacks.