Android Trojan Steals Money From PayPal Accounts Even With 2FA On (welivesecurity.com) 56
ESET researchers have discovered a new Android Trojan using a novel Accessibility-abusing technique that targets the official PayPal app, and is capable of bypassing PayPal's two-factor authentication. A report elaborates: At the time of writing, the malware is masquerading as a battery optimization tool, and is distributed via third-party app stores. After being launched, the malicious app terminates without offering any functionality and hides its icon. This video, courtesy of ESET, demonstrates the process in practice.
Because PayPal's 2FA is shit (Score:3)
PayPal still sends you codes by SMS, so of course any software on your phone that can intercept SMS messages can read them. They don't seem to support U2F at all.
Re: (Score:1)
No excuses. (Score:1)
This symptom happens a lot in android with apps designed for previous versions. Google changes something in the core activity/intent lifecycle and apps break for apparently no reason.
If one is going to develop for Android then they have to take that into consideration because it's on YOU in the end.
I WAS a Developer on the OS/2 for Windows team in the early 90s and I KNOW what it's like to have shit break on you ...because. But it was on us - regardless of what IBM Marketing said.
Also, if the Android team is making such changes like that where app developers can't keep up for whatever reason, I'd put much of the blame on the Android team.
Never the less, the pointing fingers bullshit doe
Re:Because PayPal's 2FA is shit (Score:5, Insightful)
Re: (Score:1)
If you do both auth requests on the same device you do not really have 2fa - esp. es this is a phone. If you have two virtual machines on a pc or laptop then this may but does not have to be 2fa. Bottom line is - the 2factor means separation big enough. One smartphone cannot provide it. As always there is certain level of comfort that you cannot exceed if it is dealing with your money. After all the paper money when they were introduced were also PITA but provided some security by removing a need to carry s
Re: (Score:2)
Re: (Score:2)
The ironic thing is that SIM cards support apps that can run solely on the SIM card and not leave it. AT&T had something called Softcard. This used an app on the SIM card to authenticate transactions. It didn't matter what the phone did as all the authentication happened on the individual SIM card.
Google bought this technology, and is sitting on it. Wish they would use it.
Re: (Score:2)
Re: (Score:2)
People need to understand that SMS is NOT 2FA...
My company doesn't understand this either. We use Microsoft authenticator for 2FA codes. Problem is, software used on the phone (e.g. SAP Concur) then request for 2FA authorisation from the same phone. It's the biggest waste of time in the world given that it already knows I'm on an approved phone and helpfully bypasses the first factor.
Re: (Score:2)
they used to sell hardware based 2FA keys from verisign, but they dropped support once the Paypal app came out.
It's the #1 reason why I don't use the app. To use it you have to disable your old hardware key, which still works for me.
No one. (Score:1)
Canceled years ago because they made yet another change to their terms and conditions and and all the embedded documents in the EULA after a few days or whatever.
I actually read them - once.
In a nutshell it states, 'we're gonna fuck the seller and then the buyer but we, PayPal will never take a hit. Fuck you ; pay me! Got a problem with that? Come to California, use our arbitration firm and Fuck you!'
Re: (Score:2)
You don't have to use arbitration if PayPal breaks the law. And that includes negligence. It'll be the civil court system and it's probably not worth attempting as an individual unless you lost hundreds of thousands of dollars.
For small amounts it might be fun to take PayPal to small claims court in any state they do business. Depending on your state, it's no skin off you back if the case doesn't work out. And PayPal would have to bring in a lawyer to represent them, costing them probably more than they owe
The real purpose of 2FA (Score:3, Insightful)
2FA has always been just an excuse for them to get people to surrender their phone numbers and other private information.
Phone numbers are less likely to change and can more or less uniquely identify a person. Sell phone number information to 3rd parties and those 3rd parties can easily identify other services that you use and create profiles on you.
Re: (Score:1)
Re: (Score:2)
When Musk makes his colony on Mars you will have to use Paypal to pay for your Mars Tesla and to use the Hyperloop.
Is he still involved in Paypal? I thought he was no longer involved in that business.
Re: PayPal = best avoided, period. (Score:1)
There are things to say about Apples closed gate. (Score:4, Insightful)
Now it really sucks that I cannot use my iDevice to play game ROMs emulate PC's or have my own programming language so I can use my phone as a personal computer with a tiny screen.
However the apps for the device, I download for the most part usually work well, and are not malware.
Re:There are things to say about Apples closed gat (Score:4, Insightful)
The same is true for Android. The apps I download for my Android device, for the most part usually work well and are not malware. I think we're just seeing the effect of Android's 88% market share [statista.com] vs iOS's 12%. Even if there's the same amount of malware for each OS, it has 7x the impact on Android so there are 7x as many news stories about it. And malware authors get 7x the return on investment attacking Android than they do iOS, so even if all other things are equal they're more likely to target it.
Obscurity is not security.
Re: (Score:2)
Now it really sucks that I cannot use my iDevice to play game ROMs emulate PC's or have my own programming language so I can use my phone as a personal computer with a tiny screen. However the apps for the device, I download for the most part usually work well, and are not malware.
Then don't start Settings apps, select System, select About phone, scroll down, tap the build number 5x, go back, select Developer Options, toggle it on, scroll down and check "Allow from unknown source", read the scary warning dialog that warns you about malware, and select "okay" in spite of that.
Re: (Score:2)
And your point? Is it "If you try really hard, you can make your own iPhone stop working well"?
That refers to an Android phone. If you do all that and get malware on your Android phone, you deserve it.
Re: (Score:2)
That refers to an Android phone. If you do all that and get malware on your Android phone, you deserve it.
HALT! These steps are the gateway to alternative other app stores when you want to avoid the malware that is GOOGLE's constant tracking. I use F-Droid and had to follow the steps --which cannot really be reversed because of the problem later on this paragraph. Others use the Amazon store and must do so too. Just cloning a trusty local APK that you are hoarding and KNOW is fine (or using an App store to do the downloading for you --same problem) fails the installation process and IIRC Google's OS itself lead
Re: (Score:2)
Re: (Score:2)
Sounds a lot like " She was asking for it by wearing that short skirt."
Sounds like your mind is wandering to other topics.
Re: (Score:1)
Now it really sucks that I cannot use my iDevice to play game ROMs emulate PC's or have my own programming language so I can use my phone as a personal computer with a tiny screen.
However the apps for the device, I download for the most part usually work well, and are not malware.
I'm not sure how much fun you would have getting an iPhone or iPad (or Android equivalent) to emulate a PC (or play game ROMs without a decent control-set); but as far as developing your own language, you are absolutely free to fire up XCode and start writing that language. You just can't publish it in the iOS App Store.
A limitation I will gladly trade for NOT having to worry about articles like this one two or three times per week, most every week...
Which is kinda what you ended up saying, right?
Re: (Score:2)
However the apps for the device, I download for the most part usually work well, and are not malware.
And you can get all those same protections by not willfully and manually enabling secondary sources as required for 3rd party app stores.
You can be safe if you're not a complete idiot, but we should never develop devices exclusively for the protection of complete idiots in the way Apple does.
not a problem (Score:1)
Still better than iPhone which steals all your money at purchase
Re: (Score:1)
Still better than iPhone which steals all your money at purchase
Fuck off, COWARD!
Not in the Google Play store (Score:3)
These exploits almost always require extra steps to get the offending app installed.
"At the time of writing, the malware is masquerading as a battery optimization tool, and is distributed via third-party app stores."
99.999999% of Users NOT at Risk? (Score:4, Informative)
First Problem: "At the time of writing, the malware is [...] distributed via third-party app stores." I searched Google Play and confirmed it's not listed. Your average user doesn't even know third-party app stores exist.
Second Problem: "[The malware sends a request that] is presented to the user as being from the innocuous-sounding 'Enable statistics' service." The screen states that the service will "Observe your actions: Receive notifications when you're interacting with an app" and "Retrieve window content: Inspect the content of a window you're interacting with." Do the authors know the definition of the word innocuous? Because those permissions do not seem to fit the standard definition. At a minimum, it reads like spyware.
Third Problem: The "PayPal" alert that appears is identified in the notification as "Optimization Android," not "PayPal." If you're wandering around third-party Android app stores, you should be knowledgeable enough to recognize this. I don't wander around third-party Android app stores, but if I receive a notification I'm not expecting, I *always* check the source at the top of the notification.
So, if I manage to download a "battery optimization" app from somewhere other than the Google Play store and then enable what reads like spyware and have PayPal installed and decide that it's completely okay/normal for PayPal to coincidentally alert me to confirm my account right after agreeing to spyware privileges, I'm at risk.
Also, it seems like this is not just a PayPal issue, but a "user giving too many privileges to an app" issue since TFA shows the malware's phishing screen overlays for Gmail, Google Play, WhatsApp, Viber, and Skype. And, given how the malware works, it seems that it could be applied to any installed app, so are they targeting PayPayl simply because of the number of installs and not because of any inherent flaws in PayPal's app?
Re: (Score:3)
I'd think that SMS as the only 2FA option is a problem with paypal.
There's been multiple reports of SMS hijacking (usually with social engineering at a phone company) leading to theft.
Sure, "Retrieve Window Content" likely invalidates most other 2FA on the same phone, but I suspect that that FIDO U2F would be immune from this type of attack. Or a Google Authenticator keyboard similar to what password safe does.
SMS is almost certainly not secure, and as we see here, it really doesn't even protect from an aut
Re: (Score:3, Interesting)
I suspect that that FIDO U2F would be immune from this type of attack. Or a Google Authenticator keyboard similar to what password safe does.
I don't see how any type of authentication would be immune from this attack. This malware does zero authentication; it's all done by the user. The malware *prompts* the user to login and, after the user completes all authentication, the malware then "steps in and mimics the user’s clicks to send money to the attacker’s PayPal address."
This is the equivalent of someone posing as a computer repairman for a 95-year-old and asking them to login to their bank account so the repairman can give it a "s
Re: (Score:2)
I thought FIDO was un MITMable (not quite sure how, but that's their premise).
You need the system itself to have a direct channel to the key (and that to actually be secure), and then the key sends a response.
So basically PayPal sends challenge that goes directly to the key, key sends response directly to PayPal. Malicious app (or website) cannot get in the center of this, because, I don't know, reasons I guess.
I suspect that there is a public key for the destination that is published somehow and therefore
Re: (Score:2)
The summary is stupid. It has nothing to do with 2FA. Basically, the app use's Android's accessibility features that allow one app to "drive" another app as if it were the user touching the screen. The malware uses that ability, after duping the user to open the Paypal app and authenticate (*however that needs to be done*), to drive the already-logged-in Paypal app in such a way as to transfer money to the malware author.
Re: (Score:2)
So this would be blocked if PayPal allowed non SMS 2FA to send money? (Similar to any bitcoin or brokerage account I've used)
A nuisance I would likely leave off, since PayPal is about being convenient and I'm pretty sure they'd roll it back (and if not them, my credit card company would), but they really should have the option to secure it if one wants to.
If they allowed 2FA (not SMS) for all unreliable vendors and person to person transfer that'd probably be a nice compromise.
Having SMS only for 2FA is a b
Re: (Score:2)
I'd think that SMS as the only 2FA option is a problem with paypal.
No. Any other 2FA method that uses your mobile phone would be at risk of an app like this.
Using SMS as the only 2FA option is an "imperfection" with Paypal but it most definitely is not a "problem". A problem would be offering no 2FA at all.
It's a trojan, not an 'android trojan' (Score:1)
This habit slashdot has of blaming the OS for the actions of 1. the user and 2. the software authors who steal your details is stupid and biased.
This is a trojan, not an 'android trojan'. It's not part of android, it's not related specifically to android, nor does anyone distributing android provide it packaged with android. The same trojan running on ios or windows mobile or blackberry or hell palmos would do the same thing. If it's running on the device receiving the second factor then it's bypassing 2FA
Not 2FA (Score:1)
Not this shit again. SMS is not 2FA. And even if it were, in this case it is run on the same device as app that needs to be authenticated.
Doesn't bypass PayPal’s two-factor authentic (Score:2)
Public/Private Key (Score:2)
This stupidity won't stop until businesses give up this "SMS as 2FA" nonsense and use GPG-style public key cryptography for authentication.
Re: Public/Private Key (Score:1)