Android Trojan steals money from PayPal accounts even with 2FA on


There is a new Trojan preying on Android users, and it has some nasty tricks up its sleeve. First detected by ESET in November 2018, the malware combines the capabilities of a remotely controlled banking Trojan with a novel misuse of Android Accessibility services, to target users of the official PayPal app. At the time of writing, the malware is masquerading as a battery optimization tool, and is distributed via third-party app stores.

After being launched, the malicious app terminates without offering any functionality and hides its icon. From then on, its functionality can be broken down into two main parts, as described in the following sections. The malware’s first function, stealing money from its victims’ PayPal accounts, requires the activation of a malicious Accessibility service. This request is presented to the user as being from the innocuous-sounding “Enable statistics” service.

If the official PayPal app is installed on the compromised device, the malware displays a notification alert prompting the user to launch it. Once the user opens the PayPal app and logs in, the malicious accessibility service (if previously enabled by the user) steps in and mimics the user’s clicks to send money to the attacker’s PayPal address.

During our analysis, the app attempted to transfer 1000 euros, however, the currency used depends on the user’s location. The whole process takes about 5 seconds, and for an unsuspecting user, there is no feasible way to intervene in time. Because the malware does not rely on stealing PayPal login credentials and instead waits for users to log into the official PayPal app themselves, it also bypasses PayPal’s two-factor authentication (2FA). Users with 2FA enabled simply complete one extra step as part of logging in, – as they normally would – but end up being just as vulnerable to this Trojan’s attack as those not using 2FA.

The attackers fail only if the user has insufficient PayPal balance and no payment card connected to the account. The malicious Accessibility service is activated every time the PayPal app is launched, meaning the attack could take place multiple times. We have notified PayPal of the malicious technique used by this Trojan and the PayPal account used by the attacker to receive stolen funds.

Those who have installed these malicious apps will have likely already fallen victim to one of their malicious functions.

If you have installed the PayPal-targeting Trojan, we advise you to check your bank account for suspicious transactions and consider changing your internet banking password/PIN code, as well as Gmail password. In case of unauthorized PayPal transactions, you can report a problem in PayPal’s Resolution Center.

For devices that are unusable due to a lock screen overlay displayed by this Trojan, we recommend using Android’s Safe Mode, and proceed with uninstalling an app named “Optimization Android” under Settings > (General) > Application manager/Apps.

Uninstalling in Safe Mode is also recommended for Brazilian users who installed one of the Trojans from Google Play.

  • To stay safe from Android malware in the future, we advise you to:
  • Stick to the official Google Play store when downloading apps
  • Make sure to check the number of downloads, app ratings and the content of reviews before downloading apps from Google Play
  • Pay attention to what permissions you grant to the apps you install
  • Keep your Android device updated and use a reliable mobile security solution; ESET products detect these threats as Android/Spy.Banker.AJZ and Android/Spy.Banker.AKB



scroll gif