ESET researchers have discovered malware lurking in Android app stores that aims to hijack your PayPal account and steal more than $1,000.
We're looking at a Trojan, or a malicious program that pretends to be a useful link or download. This particular piece of malware is disguised as an app called "Optimization Android," which claims to make your battery more efficient. It's only available in third-party app stores, not the official Google Play store.
Once downloaded, this app launches an innocent-looking window prompting users to "enable statistics." When a user agrees to this, however, he or she is actually enabling the malware's accessibility service, which allows it to make clicks on your behalf.
The app then prompts the user to launch PayPal and, once PayPal is launched, it tries to send money to the attacker's account. Because the victim has launched PayPal and manually logged in, the attacker doesn't need to steal or fake the victim's PayPal credentials and is able to bypass two-factor authentication.
ESET researcher Lukas Stefanko, writing in the antivirus maker's WeLiveSecurity blog, found the app attempting to transfer 1,000 euros (about $1,150 in U.S. dollars) out of Stefanko's dummy PayPal account, but Stefanko noted that the amount of money the malware tries to steal depends on the user's geographic location.
In addition, the Trojan can display fake phishing screens over commonly used apps such as Skype, Viber and WhatsApp, prompting users to enter their credit-card numbers. Stefanko also found such screens over banking apps soliciting banking credentials, and over the Gmail app asking for Gmail credentials. (As Stefanko astutely notes, these could help the attackers delete emails alerting users to fraudulent PayPal transfers).
If you've installed Optimization Android, delete it, then change any passwords that you may have exposed and check your bank and PayPal accounts for suspicious transactions. In the future, well, try not to download fishy apps from third-party app stores.
If your device is running Android 7 Nougat or earlier, you can make sure you don't install apps from sources other than the Google Play store by going into your Android device's security settings and making sure "Unknown sources" is disabled as a source of software. (It's disabled by default.)
In Android 8 Oreo and Android 9 Pie, go to Settings --> Apps --> Special Access --> Install unknown apps and see whether any installed apps have power to install more apps. Make sure they're all listed as "Not allowed."