That PayPal Trojan story is stupid and a waste of everyone's time

Some of us woke up to what seemed like a serious security scare for a lot of Android users this morning.

First detected by ESET in November 2018, the malware combines the capabilities of a remotely controlled banking Trojan with a novel misuse of Android Accessibility services, to target users of the official PayPal app.

This story was accompanied by a scary video, which demonstrated this rogue app "watching" you log in to PayPal and then copying your process to log in. What makes this particularly scary looking is the way it appears to bypass 2-Factor Authentication and then sending money on your behalf. Without the user ever knowing, this app was logging in for you and sending your money away. Terrifying stuff, right? Well, there's a catch. Actually, there are several.

The first, as pointed out by the original team reporting this trojan (emphasis mine):

the malware is masquerading as a battery optimization tool, and is distributed via third-party app stores.

Ok, so this rogue battery optimization tool isn't available through Google Play at all. Check. Now, when the app is installed how does it do its thing? Does this app really operate in the background with the user none the wiser? Well, not exactly. Again, from the original team reporting on this (emphasis mine):

this request is presented to the user as being from the innocuous-sounding "Enable statistics" service.

That's right, you get a permission request when this rogue app is first run. And that "innocuous-sounding"' permission includes the words Observe your actions in the description in great big bold letters. Not exactly a red flashing warning, but like any permission you have to choose to enable it. If you don't, the app can't do anything.

So once this rogue battery app is installed from a third-party source and you blindly give it access to your phone by not reading your permissions, does it just lurk in the background waiting to strike? No. Once again, from the original team reporting on this (emphasis mine):

If the official PayPal app is installed on the compromised device, the malware displays a notification alert prompting the user to launch it.

You get a notification telling you to log in to PayPal from something that isn't PayPal, and you just do it? Really? That's not how any of this works.

So to recap, this Super Serious Android Trojan:

  • Was not in the Google Play Store, so you have to download from a random store and enable Unknown Sources to even install it.
  • Asks for a fairly unusual permission as soon as you open it.
  • Immediately gives you a notification asking you to log in to PayPal.

Individually, these are warning flags. Together, this is basically someone sending you a letter in the mail asking you to let them know when you won't be home so they can rob you.

This isn't a real security threat. At all. Though what is a real security threat is PayPal still relying on nothing but a text message delivery for Two-Factor Authentication. It's 2018, folks. Get a real token system.

Russell Holly

Russell is a Contributing Editor at Android Central. He's a former server admin who has been using Android since the HTC G1, and quite literally wrote the book on Android tablets. You can usually find him chasing the next tech trend, much to the pain of his wallet. Find him on Facebook and Twitter