Skip to main content

Android trojan takes advantage of Accessibility to send $1,000 from PayPal even w/ 2FA turned on

Work is constantly underway to make Android a more secure ecosystem, but sometimes malicious third-parties still manage to find ways around it. This week, a new Android trojan is making the rounds which can steal money from a PayPal account, even with 2-factor authentication turned on.

As explained by WeLiveSecurity, this new piece of malware has some big consequences for victims. At the moment, Google Play is not a source for this trojan. Rather, a battery optimization app is being used which is being distributed via third-party app stores. After the app is launched, users will see it immediately close out. Later, the app can ask for Accessibility by asking the user to “enable statistics.” Notably, this is something that Google wasn’t going to allow for apps uploaded to the Play Store. The company later backtracked on that decision.

Once enabled, this service can then send a notification to the user which prompts them to open up the official PayPal application. Once the app is opened, the user signs in as usual, even going through any 2-factor authentication prompts. The moment the user has signed in, though, the Android trojan then takes advantage of the accessibility service to mimic the taps required to send money to a source. In this case, it immediately sends $1,000 to the attacker’s PayPal address.

That entire process takes roughly 5 seconds after the user has logged in and there’s no way to stop it. This process occurs each time the app is opened after that point and only fails the transaction if the user doesn’t have enough money in their PayPal balance and has no linked card/account with the required funds.

That’s pretty terrifying, but there are a few reasons you likely don’t need to worry about it. For one, this malware is only accessible if you’re downloading from outside of Google Play. If you stick there and leave unknown installations turned off, you should be safe from this.

Further, PayPal has been notified of this Android trojan and, most likely, the company will attempt to push an update that breaks it. An example of this in action can be seen in the video below.

A secondary way in which this trojan attempts to steal information from Android users beyond PayPal is by asking for payment information. Overlay screens can pop up for apps such as Google Play, Skype, WhatsApp, and others which request credit card details. Other overlay screens request Google account information in attempts to steal your password, and others ask for banking sign-in information. In these cases, even invalid inputs cause them to disappear, though.

In any situation, this trojan certainly has the capability to cause harm to an unsuspecting Android user if they’re not aware of the posed danger. If you’re infected, it’s crucial you uninstall the app and, to be safe, it’s probably not a bad idea to factory reset your device.

If you’ve not been affected (which you likely haven’t), do yourself a favor and just stick to only downloading apps via Google Play. Apps have been discovered there with similar functions, but they’re constantly being removed. Android is a safe platform, but only when you’re not deliberately putting yourself at risk.

More on Android:


Check out 9to5Google on YouTube for more news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel