Android malware steals money from PayPal accounts while users watch helpless

Android trojan waits for users to enter PayPal credentials and two-factor security code before triggering money transfers.

Fake Android driving apps fool half a million Google Play users The illegitimate apps include luxury car and motocross simulations.

A new Android trojan hidden inside a battery optimization app can steal money from users' PayPal accounts, ESET has revealed today, even from those protected by two-factor authentication.

Fortunately, the malicious app, named Optimization Battery, is currently available through third-party app stores only, and not through the official Play Store, meaning very few people have had phones infected by this threat until now.

Also: US iOS users targeted by massive malvertising campaign

Despite this, this app should be considered incredibly dangerous. The reasons is that it features an automated system that initiates PayPal money transfers right from under the user's nose, without giving the victim a chance to stop the illicit transaction.

This happens because during installation, the app requests access to the Android "Accessibility" permission, a very dangerous feature that allows an app to automate screen taps and OS interactions.

But the strange thing is that once the malicious app gets access to this permission, it does not use it right away. The app and the contained trojan stay silent until the user opens the PayPal app, on his own, or following a misleading notification triggered by the trojan.

After the user opens the official PayPal app, the trojan waits some more. This time it waits for the user to log in, enter his two-factor authentication code, and then and only then, it starts it malicious behavior.

Theft of PayPal funds takes place in under five seconds

ESET, the cyber-security firm who discovered this trojan following a detection on one of its customers' devices, said the trojan abuses the Accessibility service to mimic screen taps.

These taps open a new PayPal transfer, enter the receiver's PayPal account, the sum to be transfered, and then quickly approve it.

Also: Senator blasts FTC for failing to crack down on Google's ad fraud problems

"The whole process takes about 5 seconds, and for an unsuspecting user, there is no feasible way to intervene in time," ESET malware analyst Lukas Stefanko said today.

By default, the trojan would attempt to steal 1,000 units of the user's PayPal account currency. In Stefanko's case, it was €1,000, quite the hefty sum.

Because of the way the trojan is coded, this automated transaction happens every time the user accesses their PayPal app. The only time it fails is when the user runs out of money or doesn't have any funds in his PayPal account.

The YouTube video embedded below shows how quickly the entire process takes place and how little the PayPal transaction confirmations stay on screen, looking like an app glitch. While some users might guess what just happened, many less technical users might not understand what all the flashing screens meant, and may be unaware for days or weeks that they've lost funds from their account.

Besides the PayPal theft functionality, Stefanko, who broke down this new trojan's features in a report published today, says the trojan can also:

  • Show overlays when starting other apps that trick the user into handing over his card details (Google Play, WhatsApp, Viber and Skype)
  • Show an overlay when starting the Gmail app that collects Google login credentials
  • Show login overlays to phish credentials for various mobile banking apps
  • Intercept and send SMS messages; delete all SMS messages; change the default SMS app (to bypass SMS-based two-factor authentication)
  • Obtain the contact list
  • Make and forward calls
  • Obtain the list of installed apps
  • Install app, run installed app
  • Start socket communication

Most of these features are made possible because the malicious app is granted accessto the Android Accessibility service.


Must read


This permission is how many Android malware strains operate nowadays, and this permission has been abused for years. Users should take great care before approving any app access to this highly dangerous service, especially one they've installed from an unofficial source.

Stefanko said ESET notified PayPal about this app and asked the company to block the malware author's PayPal account. PayPal users who think they might have been impacted by this app can request a transaction reversal via the PayPal's Resolution Center.

Related stories: