Bogus PayPal App used to spread a banking Trojan

Security experts at Trend Micro have uncovered a spam campaign spreading a bogus PayPal app to steal German users' banking credentials.

A spam campaign is targeting German Andoird users, the malicious emails impersonate PayPal trying to trick the recipient into downloading a bogus PayPal app update that hides a banking Trojan.

"Mobile banking is now used by more and more users, so it shouldn't be a surprise to see banking Trojans trying to hit these users as well. We've seen spammed mails that pretend to be an update notification for an official PayPal app. These mails ask the user to click on a link to download the update; users in Germany appear to be the target of this spam run based on the language used." states a blog post published by Trend Micro.

As usual the spam email looks like the legitimate one, it is written in a good German and presents a clean layout.

paypal spam email

The researchers at Trend Micro explained that the malicious app is not hosted on the official Google Play, this means that all the users that have disabled the setting on allowing the installation of applications only from Google Play are potentially at risk.
When victims download and install the bogus app, the banking Trojan will ask for device administrator privileges to perform a series of actions on the device.

Even if the user decides not to grant device administrator privileges, the malicious app will continue to run in the background.

"Even if the user decides to not grant device administrator privileges, the malicious app will still disappear from the home screen and continue to run in the background. It is also removed from the launcher screen, making it almost impossible to interact with and/or remove." continues the post.

The bogus PayPal app is able to perform UI hijacking, this feature is very insidious because allows the malware to impersonate a number of legitimate apps everytime the user is required to enter its credentials. The same feature is used to steal credentials when users access the legitimate PayPal app.

"Once the malware detects the real PayPal app is running, it will put up a fake UI on top of the real one, effectively hijacking the session and stealing the user's PayPal credentials," is explained in the post. "Aside from PayPal, the code also targets other banking apps like "Commerzbank", which is a famous bank in Germany."

The experts at Trend Micro have identified more than 200 malicious apps that belong to this particular malware family. Crooks used is disguising the malicious agent as Flash Player, game apps and adult apps.

Let me close reporting the suggestion published by Trend Micro to avoid the infection:

  • Never entertain any suspicious emails or spam, especially when they ask you to download something, open something or click something.
  • Always download apps from first-party sources or official app stores. By default Android will not allow for apps to be downloaded from any source other than the Google Play store; unless you know what you're doing you should not change this setting.
  • Always check the permissions an app asks for before granting it. If it's too excessive, or if it places you in doubt, refuse.
  • Install a security solution on your mobile device in order to safeguard against malware such as this.