Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Android Security Privacy

Android Trojan Steals Money From PayPal Accounts Even With 2FA On (welivesecurity.com) 56

ESET researchers have discovered a new Android Trojan using a novel Accessibility-abusing technique that targets the official PayPal app, and is capable of bypassing PayPal's two-factor authentication. A report elaborates: At the time of writing, the malware is masquerading as a battery optimization tool, and is distributed via third-party app stores. After being launched, the malicious app terminates without offering any functionality and hides its icon. This video, courtesy of ESET, demonstrates the process in practice.
This discussion has been archived. No new comments can be posted.

Android Trojan Steals Money From PayPal Accounts Even With 2FA On

Comments Filter:
  • by AmiMoJo ( 196126 ) on Tuesday December 11, 2018 @12:25PM (#57786808) Homepage Journal

    PayPal still sends you codes by SMS, so of course any software on your phone that can intercept SMS messages can read them. They don't seem to support U2F at all.

    • This symptom happens a lot in android with apps designed for previous versions. Google changes something in the core activity/intent lifecycle and apps break for apparently no reason.
      • by Anonymous Coward

        This symptom happens a lot in android with apps designed for previous versions. Google changes something in the core activity/intent lifecycle and apps break for apparently no reason.

        If one is going to develop for Android then they have to take that into consideration because it's on YOU in the end.

        I WAS a Developer on the OS/2 for Windows team in the early 90s and I KNOW what it's like to have shit break on you ...because. But it was on us - regardless of what IBM Marketing said.

        Also, if the Android team is making such changes like that where app developers can't keep up for whatever reason, I'd put much of the blame on the Android team.

        Never the less, the pointing fingers bullshit doe

    • by JaredOfEuropa ( 526365 ) on Tuesday December 11, 2018 @12:41PM (#57786950) Journal
      Even some banks do this. People need to understand that SMS is NOT 2FA... especially when the device handling the payment is the same one that is receiving the auth code.
      • by Anonymous Coward

        If you do both auth requests on the same device you do not really have 2fa - esp. es this is a phone. If you have two virtual machines on a pc or laptop then this may but does not have to be 2fa. Bottom line is - the 2factor means separation big enough. One smartphone cannot provide it. As always there is certain level of comfort that you cannot exceed if it is dealing with your money. After all the paper money when they were introduced were also PITA but provided some security by removing a need to carry s

        • SMS in itself is not an auth factor in the sense of "something you have". Your phone may be "something you have" if there is a way it can positively identify itself in a way that cannot be duplicated. For example by using the Google Authenticator app. The problem with SMS is that it is your SIM card that becomes "someting you have"... and SIM cards can be cloned relatively easily. Not easy enough to do it en masse, but it's worth the effort once you've identified a high value target. They've used this
          • The ironic thing is that SIM cards support apps that can run solely on the SIM card and not leave it. AT&T had something called Softcard. This used an app on the SIM card to authenticate transactions. It didn't matter what the phone did as all the authentication happened on the individual SIM card.

            Google bought this technology, and is sitting on it. Wish they would use it.

          • Comment removed based on user account deletion
      • People need to understand that SMS is NOT 2FA...

        My company doesn't understand this either. We use Microsoft authenticator for 2FA codes. Problem is, software used on the phone (e.g. SAP Concur) then request for 2FA authorisation from the same phone. It's the biggest waste of time in the world given that it already knows I'm on an approved phone and helpfully bypasses the first factor.

    • they used to sell hardware based 2FA keys from verisign, but they dropped support once the Paypal app came out.

      It's the #1 reason why I don't use the app. To use it you have to disable your old hardware key, which still works for me.

  • by Anonymous Coward on Tuesday December 11, 2018 @12:49PM (#57787004)

    2FA has always been just an excuse for them to get people to surrender their phone numbers and other private information.

    Phone numbers are less likely to change and can more or less uniquely identify a person. Sell phone number information to 3rd parties and those 3rd parties can easily identify other services that you use and create profiles on you.

  • by jellomizer ( 103300 ) on Tuesday December 11, 2018 @12:58PM (#57787060)

    Now it really sucks that I cannot use my iDevice to play game ROMs emulate PC's or have my own programming language so I can use my phone as a personal computer with a tiny screen.
    However the apps for the device, I download for the most part usually work well, and are not malware.

    • by Solandri ( 704621 ) on Tuesday December 11, 2018 @01:17PM (#57787164)

      However the apps for the device, I download for the most part usually work well, and are not malware.

      The same is true for Android. The apps I download for my Android device, for the most part usually work well and are not malware. I think we're just seeing the effect of Android's 88% market share [statista.com] vs iOS's 12%. Even if there's the same amount of malware for each OS, it has 7x the impact on Android so there are 7x as many news stories about it. And malware authors get 7x the return on investment attacking Android than they do iOS, so even if all other things are equal they're more likely to target it.

      Obscurity is not security.

    • Now it really sucks that I cannot use my iDevice to play game ROMs emulate PC's or have my own programming language so I can use my phone as a personal computer with a tiny screen. However the apps for the device, I download for the most part usually work well, and are not malware.

      Then don't start Settings apps, select System, select About phone, scroll down, tap the build number 5x, go back, select Developer Options, toggle it on, scroll down and check "Allow from unknown source", read the scary warning dialog that warns you about malware, and select "okay" in spite of that.

    • Now it really sucks that I cannot use my iDevice to play game ROMs emulate PC's or have my own programming language so I can use my phone as a personal computer with a tiny screen.
      However the apps for the device, I download for the most part usually work well, and are not malware.

      I'm not sure how much fun you would have getting an iPhone or iPad (or Android equivalent) to emulate a PC (or play game ROMs without a decent control-set); but as far as developing your own language, you are absolutely free to fire up XCode and start writing that language. You just can't publish it in the iOS App Store.

      A limitation I will gladly trade for NOT having to worry about articles like this one two or three times per week, most every week...

      Which is kinda what you ended up saying, right?

    • However the apps for the device, I download for the most part usually work well, and are not malware.

      And you can get all those same protections by not willfully and manually enabling secondary sources as required for 3rd party app stores.

      You can be safe if you're not a complete idiot, but we should never develop devices exclusively for the protection of complete idiots in the way Apple does.

  • by Anonymous Coward

    Still better than iPhone which steals all your money at purchase

  • by Monoman ( 8745 ) on Tuesday December 11, 2018 @01:24PM (#57787224) Homepage

    These exploits almost always require extra steps to get the offending app installed.

    "At the time of writing, the malware is masquerading as a battery optimization tool, and is distributed via third-party app stores."

  • by TheCowSaysMoo ( 4915561 ) on Tuesday December 11, 2018 @01:41PM (#57787352)

    First Problem: "At the time of writing, the malware is [...] distributed via third-party app stores." I searched Google Play and confirmed it's not listed. Your average user doesn't even know third-party app stores exist.

    Second Problem: "[The malware sends a request that] is presented to the user as being from the innocuous-sounding 'Enable statistics' service." The screen states that the service will "Observe your actions: Receive notifications when you're interacting with an app" and "Retrieve window content: Inspect the content of a window you're interacting with." Do the authors know the definition of the word innocuous? Because those permissions do not seem to fit the standard definition. At a minimum, it reads like spyware.

    Third Problem: The "PayPal" alert that appears is identified in the notification as "Optimization Android," not "PayPal." If you're wandering around third-party Android app stores, you should be knowledgeable enough to recognize this. I don't wander around third-party Android app stores, but if I receive a notification I'm not expecting, I *always* check the source at the top of the notification.

    So, if I manage to download a "battery optimization" app from somewhere other than the Google Play store and then enable what reads like spyware and have PayPal installed and decide that it's completely okay/normal for PayPal to coincidentally alert me to confirm my account right after agreeing to spyware privileges, I'm at risk.

    Also, it seems like this is not just a PayPal issue, but a "user giving too many privileges to an app" issue since TFA shows the malware's phishing screen overlays for Gmail, Google Play, WhatsApp, Viber, and Skype. And, given how the malware works, it seems that it could be applied to any installed app, so are they targeting PayPayl simply because of the number of installs and not because of any inherent flaws in PayPal's app?

    • by AvitarX ( 172628 )

      I'd think that SMS as the only 2FA option is a problem with paypal.

      There's been multiple reports of SMS hijacking (usually with social engineering at a phone company) leading to theft.

      Sure, "Retrieve Window Content" likely invalidates most other 2FA on the same phone, but I suspect that that FIDO U2F would be immune from this type of attack. Or a Google Authenticator keyboard similar to what password safe does.

      SMS is almost certainly not secure, and as we see here, it really doesn't even protect from an aut

      • Re: (Score:3, Interesting)

        I suspect that that FIDO U2F would be immune from this type of attack. Or a Google Authenticator keyboard similar to what password safe does.

        I don't see how any type of authentication would be immune from this attack. This malware does zero authentication; it's all done by the user. The malware *prompts* the user to login and, after the user completes all authentication, the malware then "steps in and mimics the user’s clicks to send money to the attacker’s PayPal address."

        This is the equivalent of someone posing as a computer repairman for a 95-year-old and asking them to login to their bank account so the repairman can give it a "s

        • by AvitarX ( 172628 )

          I thought FIDO was un MITMable (not quite sure how, but that's their premise).

          You need the system itself to have a direct channel to the key (and that to actually be secure), and then the key sends a response.

          So basically PayPal sends challenge that goes directly to the key, key sends response directly to PayPal. Malicious app (or website) cannot get in the center of this, because, I don't know, reasons I guess.

          I suspect that there is a public key for the destination that is published somehow and therefore

          • by rthille ( 8526 )

            The summary is stupid. It has nothing to do with 2FA. Basically, the app use's Android's accessibility features that allow one app to "drive" another app as if it were the user touching the screen. The malware uses that ability, after duping the user to open the Paypal app and authenticate (*however that needs to be done*), to drive the already-logged-in Paypal app in such a way as to transfer money to the malware author.

            • by AvitarX ( 172628 )

              So this would be blocked if PayPal allowed non SMS 2FA to send money? (Similar to any bitcoin or brokerage account I've used)

              A nuisance I would likely leave off, since PayPal is about being convenient and I'm pretty sure they'd roll it back (and if not them, my credit card company would), but they really should have the option to secure it if one wants to.

              If they allowed 2FA (not SMS) for all unreliable vendors and person to person transfer that'd probably be a nice compromise.

              Having SMS only for 2FA is a b

      • I'd think that SMS as the only 2FA option is a problem with paypal.

        No. Any other 2FA method that uses your mobile phone would be at risk of an app like this.

        Using SMS as the only 2FA option is an "imperfection" with Paypal but it most definitely is not a "problem". A problem would be offering no 2FA at all.

  • by Anonymous Coward

    This habit slashdot has of blaming the OS for the actions of 1. the user and 2. the software authors who steal your details is stupid and biased.

    This is a trojan, not an 'android trojan'. It's not part of android, it's not related specifically to android, nor does anyone distributing android provide it packaged with android. The same trojan running on ios or windows mobile or blackberry or hell palmos would do the same thing. If it's running on the device receiving the second factor then it's bypassing 2FA

  • by Anonymous Coward

    Not this shit again. SMS is not 2FA. And even if it were, in this case it is run on the same device as app that needs to be authenticated.

  • The title is erroneous, in order to work, that mimics user generated mouse-events, the end-user has to first install the app, then enable the app when launching paypal.
  • This stupidity won't stop until businesses give up this "SMS as 2FA" nonsense and use GPG-style public key cryptography for authentication.

Trap full -- please empty.

Working...