Android malware automatically transfers money from PayPal app through simulated clicks

Security researchers from antivirus vendor ESET have discovered Android malware that uses fake clicks to steal money from PayPal users. The malware abuses the “accessibility service” feature in Android.

ADVERTISEMENT

(Malware requesting the activation of the accessibility service - credits: WeLiveSecurity (ESET))

To become a victim, users first have to install a specific “battery optimize app” which can only be downloaded from third-party app stores and not from the Google Play store. Once the malware app is installed, it asks the user to enable “statistics”, which in reality is a malicious “accessibility service”. Such a service is designed to help disabled users process information on the screen and to let them interact with a device. This can be e.g. a text-to-speech but can also be used to emulate user actions.

When the accessibility service is enabled, the app checks whether the official PayPal app is installed on the device. If found, a notification is shown asking the user to start the PayPal app. When the user opens the PayPal app and logs in, the enabled malicious accessibility service will mimic clicks to send money to the PayPal address of the cybercriminals.

ADVERTISEMENT

When researchers from ESET analyzed the malware, it tried to transfer €1,000 each time the PayPal app started. The entire process takes about five seconds and according to ESET there is no way users can stop the app from sending money in time. It will also be hard to get a refund from PayPal, because the malware doesn't depend on stolen PayPal login data. It's the user who performs the login, including PayPal's two-factor authentication and only after that the malware simulate the clicks to transfer the money.

The attack only fails when the user doesn't have sufficient funds and/or the user doesn't have a payment card connected to the account. Besides trying to steal money, the malware also tries to phish for payment data on Google Play, WhatsApp, Skype and Viber. For this type of attack, the malware uses overlays screens that are displayed over targeted, legitimate apps.

The same overlays are also used to try to steal Gmail login data from the victim. ESET thinks the criminals use this data to login to Gmail accounts, so they can delete any notification emails PayPal sends after a transaction. This way they can go on much longer without being noticed.

ADVERTISEMENT

ESET has notified PayPal about the attack and also provided them with the name of the account to which the criminals try to transfer the money.

No posts to display