Want to download an Android battery utility app from a third-party Android app store? What could possibly go wrong?
Last month researchers downloaded a power management app called “Optimization Android” from an undisclosed third-party app store. What they found was instead of optimizing the phone’s battery it changed the Accessibility settings on the phone, enabled the overlay Android accessibility feature and tried to rob them.
Overlays, on Android phones, were designed for people with disabilities. They allow one app to “see” the content of another app and interact with it. In the hands of criminals, it has long been a popular tool for miscreants to trick victims into divulging private financial data.
In the case of the rogue app “Optimization Android” the app, when first launched, changed the victim’s Accessibility settings to enable overlays and then closed. The app didn’t even try to optimize the phone’s battery.
Next, the app targeted phones that had the PayPal app installed.
“The malware’s first function, stealing money from its victims’ PayPal accounts, requires the activation of a malicious Accessibility service,” ESET researcher Lukas Stefanko said in a Tuesday post. “This request is presented to the user as being from the innocuous-sounding ‘Enable statistics’ service.”
The malware then sends the user a notification telling them to launch the official PayPal app (if it is installed on the compromised device), under the guise that they need to “confirm your account immediately.”
Once the user opens the PayPal app, the malicious accessibility service mimics the user’s clicks using its newfound Accessibility services capabilities to send money to the attacker’s PayPal address.
When Stefanko was analyzing the malware, he said the app attempted to transfer 1,000 euros.
The whole process takes about five seconds, and for an unsuspecting user, there is no feasible way to intervene in time, Stefanko said.
“Because the malware does not rely on stealing PayPal login credentials and instead waits for users to log into the official PayPal app themselves, it also bypasses PayPal’s two-factor authentication (2FA),” said Stefanko. “Users with 2FA enabled simply complete one extra step as part of logging in, – as they normally would – but end up being just as vulnerable to this Trojan’s attack as those not using 2FA.”
According to researchers, the malicious Accessibility service is activated every time the PayPal app is launched – meaning the attack could take place multiple times.
Using the automated screen tap technique, the malware has many other malicious capabilities beyond its theft of PayPal accounts.
Like all overlay malware it can intercept, send or delete SMS messages, obtain the user’s contact list, make or forward calls. In addition, the trojan is able to launch HTML-based overlay screens for targeted apps on the device – Google Play, WhatsApp, Skype, Viper and Gmail – that phish for credit card details.
Security experts for their part warned Android users to stay away from third-party apps and instead stick to Google Play.
“Although this malware is quite advanced, it can easily be avoided by sticking to official app stores like Google Play,” privacy advocate Paul Bischoff from Comparitech.com said in an email. “This app is found on third-party app stores with lower barriers to entry. So-called ‘optimization’ and ‘cleaning’ apps are frequently used as fronts for malware because they require extensive permissions to access your device.”